When Experience Matters ®
< Back to Previous Page
Related Practices

E-Commerce Law Week, Issue 528

October 11, 2008

Schwarzenegger Signs Some Data Security Bills, Terminates Others

California Governor Arnold Schwarzenegger signed two bills aimed at protecting the privacy of patients' medical information late last month, but vetoed other data security legislation.  He approved SB 541 and AB 211, which, as we previously reported, require health care providers to safeguard patients' medical information and create fines of up to $250,000 for violations.  But he vetoed AB 1656 and SB 364, which together would have created new data security and breach notification requirements for merchants, including mandatory encryption for certain information.  And he nixed AB 1906, which would have required individuals to obtain a certificate from the state Insurance Commissioner for the sale of identity theft insurance.

President OKs Amendments to CFAA and Identity Theft Laws

President Bush has signed legislation that provides restitution to victims of identity theft and broadens the scope of the Computer Fraud and Abuse Act (CFAA).  Known as the Identity Theft Enforcement and Restitution Act of 2008, this legislation was enacted as part of H.R. 5938.  Under the new law, a judge may order a person convicted of a federal identity theft crime to pay the victims "an amount equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense."  The law also amends the CFAA to clarify the requirements for bringing a civil suit, create liability for conspiring to commit offenses, and generally make it easier for plaintiffs to show a violation.  In addition, the law asks the U.S. Sentencing Commission to consider increasing penalties for violations of federal identity theft laws, the CFAA, the Wiretap Act, and the Stored Communications Act.

U.S. Commerce Department Revises Rules for Encryption Exports

On October 3, the Commerce Department's Bureau of Industry and Security (“BIS”), published an interim rule revising the regulations governing the export of encryption.  The rule provides a modest liberalization and a major reorganization of the restrictions that apply to exports of encryption hardware, software, and technology.  Among other provisions, the new rule eliminates the requirement for notification to BIS prior to exports for certain hardware, software, and technology that is considered to be within the weak encryption parameters set out in BIS's rules.  It also removes from the encryption controls software designed or modified to protect against malicious computer damage.  In addition, the rule provides some additional liberalization under the most commonly available license exception (License Exception "ENC."  But, the new rule creates some additional restrictions as well, by requiring additional information to be provided on submission of encryption review requests required for License Exception ENC availability.  The interim rule is effective immediately, though BIS is soliciting comments.

New PCI Data Security Standard Mandates Stronger Wireless Security

The Payment Card Industry (PCI) Security Standards Council released version 1.2 of its Data Security Standard (DSS) on October 1.  As we have previously reported, the DSS requires all participating “merchants, banks, [and] POS [point of sale] vendors” -- as well as their service providers and other contractors -- to implement six sets of security requirements:  build and maintain a secure network, protect card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy.  The new version of the DSS requires covered entities to ensure that "wireless networks transmitting cardholder data or connected to the cardholder data environment ... use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission."  It also bars covered entities from using WEP security to protect wireless networks after June 30, 2010.  In addition to enhancing security for wireless networks, version 1.2 provides standard "attestation of compliance" forms for merchants and service providers and clarifies many existing requirements and procedures.

Steptoe Presents Chicago Seminar on Unfair Acts and Unfair Competition

On Thursday, October 30, Steptoe partners Charles Schill, Alice Kipel, Stan Schlitter, and Steve Barber will present a free breakfast seminar in Chicago to discuss enforcement of intellectual property rights through Section 337 investigations -- proceedings adjudicated by the United States International Trade Commission that provide companies a means to deal with patent, trademark, and copyright infringement, and other forms of unfair competition.  Registration for the seminar is free, but is on a first-come, first-served basis.  CLE credit is pending for members of the Illinois State Bar.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.

CONTACT US | PRIVACY | TERMS OF USE | © 2009 STEPTOE & JOHNSON LLP, ALL RIGHTS RESERVED | ATTORNEY ADVERTISING | SITE BY FIRMSEEK
Washington | New York | Chicago | Phoenix | Los Angeles | Century City | Brussels | London