E-Commerce Law Week, Issue 545

Massachusetts Delays Enforcement of Data Security Regulations Until 2010

The Massachusetts Office of Consumer Affairs and Business Regulation has again delayed enforcement of the sweeping data security regulations it issued last year, this time until January 1, 2010.  The Office has also dropped a provision that would have required businesses to obtain a "written certification" of compliance with the regulations from their third-party service providers.  Instead, the amended regulations require businesses to take "all reasonable steps" to ensure that their service providers are "applying ... personal information protective security measures at least as stringent as those required" by the regulations.  The latest delay in enforcement and recent amendment came after interested parties were invited to a hearing on the Office's earlier decision to postpone enforcement of many provisions of the data security regulations until May 1, 2009.  The willingness of the Office to consider substantive amendments to the regulations at a hearing designated solely for consideration of their effective date suggests that continued vocal opposition might still have some effect on the regulations' more burdensome provisions.

Posting YouTube Video Without Subjects' Consent Draws Fine From Spanish DPA

The Spanish Data Protection Agency (DPA) recently ruled that individuals who post pictures or videos of "identifiable persons" without the consent of those photographed or filmed face liability under Spain's Law 15/1999, On the Protection of Personal Data (LOPD).  The Spanish DPA held that, by posting a video of several youths taunting an allegedly paranoid schizophrenic individual to YouTube without the consent of those depicted, an individual identified as "Mr. R.R.R." committed a "serious" violation of the LOPD.  While such violations are punishable by more than € 60,000 in fines, the Spanish DPA chose to impose a reduced penalty of € 1,500, stressing that the poster of the video had promptly removed it of his own accord after it was reported on by the news media.  But even this diminished fine could scare Spanish users away from posting images or movies to social networking and other public websites, potentially cutting off the flow of the user-generated content on which these websites depend.   

"Screen-Scraping" Gives Rise to CFAA Claim Against Investment-Research Firm

Plaintiffs continue to seek new applications for the the Computer Fraud and Abuse Act (CFAA), potentially turning the Act into far more just an anti-hacking statute and making it into a regular part of employment and contract disputes and other types of business litigation.  In NewRiver, Inc. v. Morningstar, Inc., NewRiver -- a service provider to the brokerage industry -- alleged that Morningstar used automated "screen-scrapers" to access and copy large volumes of data from NewRiver's web-based "Prospectus Express" database.  That database contains an "online library of compliance documents" related to a wide range of financial instruments sold in the United States.  While NewRiver had agreed to provide Morningstar with indirect access to a portion of the Prospectus Express database through a custom URL, it alleged that Morningstar's screen-scrapers accessed information directly from the full database and thereby obtained confidential investment files belonging to other NewRiver clients.  NewRiver noted that Morningstar had admitted to accessing the database for "quality assurance" and product development purposes, and suggested that Morningstar may have used information gathered from the database to lure away NewRiver's clients.  Based on these allegations, NewRiver brought claims against Morningstar for, inter alia, violations of the CFAA and trespass to chattels.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.