E-Commerce Law Week, Issue 508

How One Mean Mom Might Kill Anonymity on the Web

Have you ever created a MySpace or Facebook account using a fake name or date of birth?  Or accessed a dating or a news website using an alias?  Well, you could be looking at a year or more in the federal penitentiary.  And, if you used any information you gathered from the site to send a hurtful email or post a critical comment about someone, you could be looking at five years or more.  That's the upshot of a decision by a federal grand jury in Los Angeles to indict Lori Drew, the Missouri mother who created a fake MySpace account to correspond with a 13-year-old girl next door, thereby allegedly causing the girl to commit suicide.  The linchpin of the indictment is a broad reading of the Computer Fraud and Abuse Act (CFAA) to criminalize the act of obtaining information from a website in a manner that violates the site's terms of service.  Ms. Drew's conduct has been widely reviled, and rightly so.  But if she is convicted of the crimes charged, anonymity on the Internet could become a thing of the past. 

Court Reaffirms that Private Parties Cannot Obtain Email Content With A Civil Subpoena

A federal court recently reaffirmed that the Electronic Communications Privacy Act (ECPA) does not permit an Internet service provider to disclose the content of stored emails to a private party in response to a civil discovery subpoena.  One would have thought this principle was well established.  But apparently a reminder is sometimes necessary.  Cori and Kerri Rigsby, insurance adjusters for a State Farm contractor, allegedly used their AOL accounts to email Thomas and Pamela McIntosh with information they believed showed that State Farm had engaged in fraud in assessing the McIntoshes' Hurricane Katrina damage claim.  During discovery, the Rigsbys asked a federal court to quash State Farm’s subpoena to AOL, claiming, among other things, that it violated ECPA.  A magistrate granted the motion to quash and the district court affirmed, finding that § 2703(b) "pertains exclusively to criminal investigations, not civil discovery matters."  It further found ECPA "protect[ed] the Rigsbys' stored e-mails because the Rigsbys [had] a legitimate interest in the confidentiality of their personal emails being stored electronically by AOL" and that disclosure to State Farm did not fall into the exceptions located in § 2702(b) of ECPA, which allow voluntary disclosure by an ISP in certain delineated circumstances.

New Law Gives Teeth to UK Data Breach Regulator

A recent Act of Parliament will give the UK Information Commissioner's Office (ICO) the power to levy fines directly against companies that suffer data breaches.  The ICO currently has the power to order improvements in data security and seek penalties in the courts, but cannot impose fines directly.  However, under the Criminal Justice and Immigration Act 2008, passed on May 8, the ICO will be authorized to fine data controllers that engage in a "serious contravention" of the data protection principles established by the UK Data Protection Act 1998, if this contravention is "likely to cause substantial damage or substantial distress" and the controller acted deliberately or knew or should have known that a contravention would result in substantial damage or distress.  In recent months, the ICO has taken action against several companies for violations of the Seventh Data Protection Principle, which requires that "[a]ppropriate technical and organisational measures ... be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."  As a result of the legislation, companies that violate the Seventh Data Protection Principle by losing a laptop or otherwise compromising the personal information of UK residents are more likely to face fines from the ICO.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.