E-Commerce Law Week, Issue 507

Iowa and Oklahoma Join the Breach Brigade

Iowa fought hard to maintain its status as the first state to select delegates to the Democratic and Republican conventions.  But it was in no such rush when it came to data breach notification laws.  On May 9, Iowa's governor signed legislation that makes the Hawkeye state the 43rd to enact a data breach notification law.  The notification provisions and definitions in the Iowa law are fairly standard.  The law requires any person or business that owns or licenses the personal information of a state resident to notify the resident if this information is breached, unless the person or business determines that there is no reasonable likelihood of financial harm.  The law deems a violation to be an unfair trade practice, and authorizes the state's attorney general to impose "a civil penalty not to exceed forty thousand dollars per violation" and seek damages "on behalf of a person injured" by a violation.  The Iowa law takes effect on July 1, 2008.  Meanwhile, on April 28, Oklahoma's governor signed a measure extending the Sooner State's breach notification requirement -- previously applicable only to government agencies -- to private individuals, businesses, and other entities that own or license computerized data that includes the personal information of state residents.  The Oklahoma law is effective November 1, 2008.  Finally, Alaska's legislature also passed a breach notification bill last month, which is awaiting transmission to that state's governor.

FTC Adopts Final CAN-SPAM Rules

The Federal Trade Commission announced on May 12 that it had approved new rules governing the regulation of commercial email under the CAN-SPAM Act.  Most notably, the rules modify the definition of “sender” to address situations where a single email message contains advertisements from multiple parties.  In such a situation, if only one person is identified in the "from" line of the commercial email, then this person will generally be considered the "sole sender" of the email and will be exclusively responsible for handling opt-out requests.  Moreover, the rules state that a sender may not require a recipient of a commercial email message to pay a fee, provide information other than an email address and opt-out preferences, or take any steps other than sending a reply email or visiting a single webpage in order to opt-out of future emails.   The rules become effective July 7, 2008.

Court Upholds Subpoena of ISP for Identity of Alleged Copyright Infringer

Courts continue to debate what standard to apply when considering motions to quash civil subpoenas that require Internet service providers to identify subscribers.  Some courts have held that a plaintiff seeking to unmask a subscriber must show that its case would survive a motion for summary judgment or meet some other heightened pleading standard.  But in Arista Records LLC v. Does 1-19, a federal court in Washington, D.C., refused to apply a heightened standard in evaluating a subpoena served by record companies on George Washington University (GW) for the identity of an anonymous user of its campus network who allegedly downloaded and distributed copyrighted music.  In refusing to quash the subpoena, the court suggested that a heightened standard should be applied only in cases involving "actual" speech, and not where the alleged speech involves copyright infringement.

Ruling Extends U.S. Patent Law to Websites Operating Abroad

In order to state a patent claim for unauthorized use of an invention, a plaintiff must show, among other things, that the invention was used in the United States -- seemingly a tricky proposition when the invention is part of a website maintained abroad.  But, in Renhcol Inc. v. Don Best Sports, a federal court in Texas recently ruled that, where users in the United States "control and derive beneficial use from a device located overseas that infringes claimed system, those users use the infringing device in the United States and commit direct infringement."  As a result of such use by users,  the website owners could be held liable for inducing the infringement.  Since many of today's highly interactive websites are controlled by and benefit users, this ruling could create liability under U.S. patent law for websites accessible in the United States, no matter where they are hosted or maintained.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.