E-Commerce Law Week, Issue 526

Massachusetts Issues Sweeping Data Security Regulations, Including Mandatory Encryption

Massachusetts has issued regulations requiring businesses that own or maintain personal information about state residents to implement comprehensive data security measures. These appear to be the broadest and most detailed data security prescriptions to be imposed at the state or federal level. The regulations also specifically require businesses and other entities, "to the extent technically feasible," to encrypt "all transmitted records and files containing personal information that will travel across public networks" and "all data to be transmitted wirelessly." The same entities must also encrypt "all personal information stored on laptops or other portable devices." Massachusetts thus becomes the second state, after Nevada, to require the use of encryption, and adds to a growing international trend. The regulations will take effect January 1, 2009.

Court Requires Search Warrant for Acquisition of Cell Phone Location Data

A federal court in Pennsylvania last month held that the government must obtain a search warrant based on probable cause in order to obtain a cell phone user's historical location data from a cellular service provider. The government had asked the court to order the production of this stored location data under the more lenient standards of section 2703(d) of the Stored Communications Act (SCA), which states that a court may order an electronic communication service provider to disclose "a record or other information pertaining to a subscriber" upon a showing that "there are reasonable grounds to believe that ... the records or other information sought ... are relevant and material to an ongoing criminal investigation." The court rejected the government's request, affirming a magistrate judge's determination that the text of the SCA, its legislative history, and constitutional concerns required the court to assess government requests for a cell phone location data under the probable cause standard.

Plaintiffs File New Warrantless Wiretapping Suit Against Government

Litigation over the government's warrantless wiretapping program continues. Less than a month after the Ninth Circuit remanded Hepting v. AT&T for reconsideration in light of the retroactive immunity that the FISA Amendments Act of 2008 effectively granted to communications providers that cooperated with the wiretapping, four of the plaintiffs from Hepting have joined the Electronic Frontier Foundation in filing a new putative class action suit (EFF v. NSA) that brings similar claims but names only government defendants. Meanwhile, the government has filed a new motion to dismiss the claims brought against communication providers in Hepting and other warrantless wiretapping cases.

Steptoe Attorneys Present Webcast on Encryption

On Tuesday, October 7, at 1:00 p.m. EDT, Steptoe attorneys, Michael Vatis, Julia Court Ryan, and David Lorello will present a webcast, in association with West, a Thomson business, on how U.S. and other countries' laws and regulations restrict the export of encryption software, hardware, and technology, as well as how many countries restrict the import and use of these items. Among other topics, the webcast will focus on "intangible" imports, travelling with encryption on mobile devices, and "deemed exports." Registration is open to all, and CLE credit is available.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.