E-Commerce Law Week, Issue 519

Encryption Requirements Popping Up All Over

The Office of the Information and Privacy Commissioner for Newfoundland and Labrador has found that encryption is a "necessary" part of the "reasonable security measures" for the protection of personal information stored on laptops that public bodies must adopt under that province's Access to Information and Protection of Privacy Act (ATIPPA).  The Office made this finding in a report on the theft of four laptops containing the unencrypted personal information of school children from the offices of a school district.  The Office found that the district's use of a password as the "sole form of security" on the stolen laptops violated a statutory requirement that public bodies "shall protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal."  The Office's action is only the latest in a worldwide trend toward requiring encryption of personal information or other sensitive data.

UK Information Commissioner Takes UK Agencies to Task for Failure to Encrypt Mobile Media

Another illustration of this trend comes from across the pond.  There, the UK Information Commissioner's Office (ICO) reaffirmed its tough line towards entities that fail to encrypt personal data stored on laptops and other mobile media by issuing enforcement notices to two UK agencies that recently suffered significant breaches of personal information.  According to the ICO's first enforcement notice, two password protected -- but unencrypted -- compact disks that Her Majesty's Revenue and Customs (HMRC) sent to another UK regulator in 2007 were lost in the mail, potentially compromising "the personal data of up to 25 million individuals."  In its other enforcement notice, the ICO cited the January theft of an unencrypted Ministry of Defence (MOD) laptop holding the personal data of "up to 1,000,000 individuals" from a car that had been left in a parking lot overnight.  The ICO found that both HMRC and the MOD had violated the Third and Seventh Data Protection Principles of the Data Protection Act 1998, and ordered them to implement several data security recommendations.  While these specific actions are limited to government agencies, they reinforce the growing trend in the UK -- as well as the United States and around the world -- to regard encryption as a necessary component of data security.

EU Proposal Would Punish Companies for Cooperating with "Internet-Restricting Countries"

The European Parliament is considering a directive that would bar European businesses from helping "Internet-restricting countries" censor online activities.  The "EU Global Online Freedom Act" (EU-GOFA) mirrors the American Global Online Freedom Act (GOFA), a bill proposed two years ago in the U.S. House of Representatives.  Like the American bill, the EU-GOFA would forbid Internet companies from locating search engines and content hosting services in Internet-restricting countries, obeying demands from such countries to censor search results and web content, and assisting such countries in identifying a web user “except for legitimate foreign law enforcement purposes.”  Violations of these provisions would be punishable by civil and criminal penalties, and any person injured by a business' assistance in identifying a web user could bring an action for damages.  The EU-GOFA would also require EU persons to obtain a license before "knowingly export[ing] any item to an end user in an Internet-restricting country for the purpose, in whole or in part, of facilitating Internet censorship."  Unlike the American GOFA, the directive would mandate that "all unnecessary limitations" that non-European countries place on Internet services be considered barriers to trade.  The EU-GOFA would apply only to EU companies and certain of their foreign subsidiaries.

Courts Just Can't Agree on When Employee Access to Computer is "Authorized" under CFAA

Courts continue to disagree over whether an employee violates the Computer Fraud and Abuse Act (CFAA) when he accesses a company computer with authorization but then steals information for some nefarious purpose.  In Black & Decker (US), Inc. v. Smith, a federal court in Tennessee ruled that a disloyal employee who allegedly copied confidential Black & Decker (B&D) information before being terminated did not access this information "without authorization" or "exceed" his authorized access within the meaning of the CFAA, since he was permitted access to the information while employed.  But, in Mintel International Group, Ltd. v. Neergheen, a federal court in Illinois held that an employee might have "exceeded authorized access" by sending confidential information from his workplace computer to his personal email address before leaving the company.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.