E-Commerce Law Week, Issue 525

Virginia Supreme Court Strikes Down State Spam Law

The Virginia Supreme Court struck down that state's anti-spam law on September 12, finding that provisions of the law that criminalize the falsification of email routing information "in connection with the transmission of unsolicited bulk [email] through ... the network of an [email] … provider" placed restrictions on speech that were unconstitutionally overbroad.  After his conviction under this law for sending more than 50,000 emails to AOL subscribers, Jeremy Jaynes appealed, contending, inter alia, that the Virginia law "abridge[d] the First Amendment right to anonymous speech."  An appellate court confirmed his conviction, but the state supreme court reversed, holding that the law was "unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mails including those containing political, religious, or other speech protected by the First Amendment."  Put another way, the court essentially held that people have a constitutional right to falsify an IP address or domain name, since that is effectively "the only way" to send anonymous email.

SEC and HHS Join the Data Security Posse

No longer willing to let the Federal Trade Commission act as the Lone Ranger of federal data security enforcement, the Securities and Exchange Commission and the Department of Health and Human Services have begun taking action against companies whose data security practices violate the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), respectively.  Earlier this month, LPL Financial Corporation agreed to remedy any deficiencies in its data security policies and procedures identified by an independent consultant and pay $275,000 to settle SEC charges that its failure to implement "adequate" data security allowed hackers to make unauthorized trades in the accounts of LPL's customers, in violation of the Safeguards Rule of GLBA Regulation S-P.  Meanwhile, several members of the Providence health care group agreed this July to adopt new security policies and procedures and pay $100,000 to settle HHS charges that they had failed to adequately secure patient information, in violation of the HIPAA Privacy and Security Rules.  In addition to signaling an uptick in data security enforcement by federal regulators, these developments could help refine the working definition of "reasonable" data security that the FTC has adopted in its settlements with alleged violators of the "unfair or deceptive acts or practices" prong of the FTC Act.

California Legislature Passes Data Security Legislation

California lawmakers have passed legislation that would create new data security requirements for retailers and health care providers and add identity theft to the list of the types of insurance that may be sold in the Golden State.  AB 1656 would amend the state's breach notification law to create several new data security and breach notification requirements for merchants, including mandatory encryption for certain information.  The law would also require all entities that provide "substitute notice" of a breach to affected individuals to also notify California's Office of Information Security and Privacy protection.  SB 541 and AB 211, which were prompted by recent reports that medical staff viewed the records of celebrities without authorization, require health care providers to safeguard patients' medical information and create fines of up to $250,000 for violations.  And AB 1906 would allow individuals to obtain a required certificate from the state Insurance Commissioner for the sale of identity theft insurance.  It's not yet clear if or when the bills will be signed into law.

New Jersey Court Finds No Reasonable Expectation of Privacy in Workplace Computers

A New Jersey appellate court ruled last month that an employee who used his workplace computers to commit a crime had no reasonable expectation of privacy in information stored on these computers.  The State of New Jersey accused defendant "M.A." of stealing over half a million dollars from his former employer, Certified Data Products (CDP), based in part on evidence that police found while searching the defendant's workplace computers with CDP's consent.  The defendant moved to suppress this evidence, claiming, inter alia, that he had a reasonable expectation of privacy in personal information stored in the computers.  The court denied the motion, finding that the defendant lost any reasonable expectation of privacy when he "abandoned" the computers by declining CDP's offer to return the day after his firing to "gather his personal belongings."  More importantly, the court also ruled that the facts that defendant had a private office and used a confidential password on the computers did not give rise to a reasonable expectation of privacy in information stored on the computers.  The court also held that any subjective expectation of privacy created by the use of a password would be unreasonable given the facts of the case.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.