E-Commerce Law Week, Issue 533

Death to Hackers!

That's the message coming out of Pakistan, which recently reenacted a sweeping and draconian law criminalizing a wide array of computer offenses and imposing harsh sentences, including the death penalty, for broadly defined acts of "cyber terrorism."  The Prevention of Electronic Crimes Ordinance (Ordinance No. IX of 2008) makes it a crime to gain unauthorized access or willfully cause damage to computer systems.  The Ordinance also criminalizes electronic fraud, cyber stalking, spamming, spoofing, the creation or distribution of viruses and other malicious code, the use of encryption to commit or conceal an offense, and electronic eavesdropping.  The Ordinance also gives law enforcement the authority, pursuant to a search warrant, to request access to any encryption key or other means of decrypting any encrypted information found on or through any electronic system under investigation.  Moreover, the Ordinance requires electronic communications providers to retain all traffic data for at least 90 days and to provide the government with real-time access to both communications and traffic data upon request.

FTC Slams Company for Its Business Partner's Poor Security

The Federal Trade Commission announced earlier this month that mortgage lender Premier Capital Lending, Inc., has agreed to settle charges stemming from a breach of its online system for requesting and viewing consumer reports.  Most notably, the FTC alleged that Premier's failure to ensure that a business partner provided "reasonable and appropriate" protections for consumer reports accessible through Premier's system violated the Commission's Safeguards Rule (issued under the Gramm-Leach-Bliley Act).  The FTC also alleged that Premier's privacy policy contained "false or misleading" statements about its data security practices, in violation of both the Commission's Rule on Privacy of Consumer Financial Information and the "unfair or deceptive acts or practices" prong of the FTC Act.  According to the settlement, Premier must:  implement and maintain "a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of consumers’ personal information"; obtain independent, third party audits of this information security program 180 days after it is implemented and every two years thereafter for 20 years; retain certain compliance-related documents for three to five years; and ensure that all its statements concerning the security of personal information are truthful.  Companies that wish to avoid similarly onerous settlement terms should make sure that any business partners with access to their systems have policies and procedures in place to keep this access secure.

Agencies Release Final Internet Gambling Rule for Payment Systems

The Department of Treasury and the Federal Reserve released a Final Rule on November 14 that requires certain designated payment systems and their participants to adopt policies and procedures designed to prohibit gambling transactions that are "restricted" under the Unlawful Internet Gambling Enforcement Act of 2006 (UIGEA).  As we have previously reported, a transaction is restricted under the UIGEA if it involves the transmission of funds from a person participating in "unlawful Internet gambling" to another person "engaged in the business of betting or wagering."  The Final Rule, which may have been rushed to completion before the arrival of the Obama administration, generally hews to the language of the rule proposed last October, with a few exceptions.  Most notably, the Final Rule provides additional guidance on due diligence that payment systems can perform to ensure compliance and clarifies that this due diligence applies only to commercial customers, and not to consumer accounts.  In addition, the regulators rejected the idea of requiring the government to publish a list of illegal gambling sites to which payment should be blocked, on the ground that it would be too difficult to determine what sites were legal or illegal under the panoply of federal and state gambling laws.  The regulators apparently did not appreciate the irony of their reasoning.  The Final Rule is effective January 19, 2009, but will not be enforced until December 1, 2009.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.