E-Commerce Law Week, Issue 538

New Jersey Drops Encryption Requirement from Draft Data Security Regulations

Last month, the New Jersey Division of Consumer Affairs released a new draft of its proposed data security regulations.  As we previously reported, backlash from business blocked adoption of the original proposed regulations, which were drafted in 2007 pursuant to New Jersey's Identity Theft Prevention Act.  While the original proposal would have required companies doing business in the Garden State to use encryption -- and a plethora of other technologies -- to protect the personal data of New Jersey residents, the new draft does not require encryption or any other specific technologies.  Instead, the new draft would impose a more general requirement on affected companies to "implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of personal information."

Trade Group Updates Self-Regulatory Code for Online Advertising

On December 16, the Network Advertising Initiative -- which includes Internet heavy-hitters Yahoo! and Google -- introduced a new version of its Self-Regulatory Code of Conduct for online advertising.  The new Code contains requirements for the handling of "personally-identifiable information" that cover notice, choice, use limitation, access, reliability and security.  The first version of the Code was released in 2000.  By updating the Code, the NAI members likely hope to forestall efforts by the Obama Administration or the next Congress to regulate online advertising.  Meanwhile, in addition to membership in the NAI, Yahoo! and Google have taken other steps to ease consumers' concerns about the privacy of their search results.  Yahoo! announced in December  that it will anonymize its "user log data" within 90 days, with "limited exceptions" for "fight[ing] fraud," "preserv[ing] system security," and meeting "other legal obligations" (Yahoo! previously retained identifiable search logs for 13 months), while Google announced in September that it would anonymize its search data after 9 months (it previously retained identifiable data for 18 months).

Court Rules that Employee's Misappropriation of Business Information Does Not Violate CFAA

A December 15 ruling adds to the division among the courts about when an employee's breach of loyalty to his company violates the Computer Fraud and Abuse Act (CFAA).  In Condux Int'l, Inc., v. Haugum, a federal court in Minnesota ruled that a former employee's "wrongful intended use" of information that he had accessed on workplace computers while he still worked for the company did not make this access "unauthorized" for the purposes of the CFAA.  The court noted the split in legal authority on the question of whether violating a duty of loyalty to an employer can cause one's access to workplace computers to become "unauthorized" or in excess of authorized access for purposes of the CFAA.  But it ultimately sided with those courts that have interpreted the CFAA as creating a cause of action for the "unauthorized procurement or alteration of information, not its misuse or misappropriation."  It held that, under the plain language of the statute, “exceeds authorized access” "contemplates persons who 'go beyond the permitted access granted to them,'" while “without authorization” refers to persons with "no permission to access whatsoever."

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.