E-Commerce Law Week, Issue 567

Giving Up the Ghost, Without Even Knowing It

When Banquo’s ghost appears in Macbeth’s seat at a feast, Macbeth is so shaken with fear that Lady Macbeth chides him as having been “unmann’d in folly.”  One might forgive system administrators for feeling that way after finding that “Ghostnet” has taken control of their networks.  Ghostnet is a sophisticated cyber espionage network that has attacked company and government computers around the world, including those of U.S. defense contractors.  To date, this little-reported network has been used mainly to steal sensitive data from victim systems.  Organizations that fall victim to Ghostnet could face a host of legal problems, including reporting obligations under state breach notification laws; investigation by U.S. regulators, European data protection authorities, and state attorneys general; lawsuits by parties whose information was stolen; and penalties under Defense Department contracts.  Companies that don’t prepare for the potential legal onslaught could find the visages of the lawyers lined up against them to be as frightening as Ghostnet itself.

Monitoring Employees' Personal Emails?  Not So Fast, Says New Jersey Court

A New Jersey appellate court recently ruled that although a company may examine an employee's personal emails where necessary to serve "a legitimate business interest," such a policy cannot permit "an intrusion into communications otherwise shielded by the attorney-client privilege."  In Stengart v. Loving Care Agency, Inc., Marina Stengart brought an employment discrimination claim against her former employer, the Loving Care Agency (LCA).  While still employed at LCA, Stengart used her work-issued laptop to send several emails pertaining to her anticipated suit to her attorneys through her "personal, web-based, password-protected Yahoo email account."  After she filed suit, attorneys for LCA obtained access to these emails and produced some of them in response to her interrogatories.  Stengart's attorneys requested that LCA's attorneys return all such emails.  They refused, prompting Stengart to apply for a temporary restraining order.  The trial judge denied the motion, finding that "the emails were not protected by the attorney-client privilege because the company's electronic communications policy put plaintiff on sufficient notice that her emails would be viewed as company property."  On appeal, the Superior Court of New Jersey, Appellate Division, reversed, finding that "[a] policy imposed by an employer, purporting to transform all private communications into company property -- merely because the company owned the computer used to make private communications or used to access such private information during work hours -- furthers no legitimate business interest."  Significantly, the court's rationale was not limited to emails concerning the attorney-client privilege.  In reaching its decision, the court announced an extremely privacy-protective rule, holding that, regardless of the wording of a company's monitoring policy, "an employer's rules and policies must be reasonable to be enforced," and that the policy may be enforced by courts only if "the regulated conduct … concern[s] the terms of employment" and the policy "reasonably further[s] the legitimate business interests of the employer."

Canada Joins Europe In Scrutinizing Social Networking Sites' Privacy Practices

The Office of the Privacy Commissioner of Canada has found that some of Facebook's most popular features -- including third-party applications and the tagging of photos with names and email addresses -- violate the data protection principles of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).  Those principles require organizations that use the personal information of Canadians to, inter alia, implement procedures to protect such information; identify the purposes for which it is collected; collect and retain it only where necessary for these purposes; and obtain the data subject's consent prior to its "collection, use, or disclosure."  In its report, the Privacy Office found that Facebook failed to abide by these principles, citing several unresolved violations of PIPEDA.  The Office stated that it would reassess Facebook's compliance with PIPEDA and the report's recommendations in 30 days.  Along with a recent EU Article 29 Data Protection Working Party opinion (on which we previously reported) advising all social networking sites that handle the personal data of EU residents that they must comply with the EU Data Protection Directive, this report indicates that the increasing scrutiny of social networking sites' data protection policies around the world could force significant changes in the way such sites operate.

British Court Finds Google Not Liable for Defamatory Search Results

A court in the United Kingdom ruled that Google is not liable for defamatory material that appears in its search results because it is not a "publisher" of such material.  The court equated Google to a library catalogue, which would not be held liable for the content of the books it lists.  The UK has traditionally been friendly to libel claimants, so this decision -- though consistent with rulings in the US and EU -- is an important precedent for search engines.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.