E-Commerce Law Week, Issue 612

Court's Ruling Gives Shot In The Arm To Companies With Network Breaches

A recent decision by a federal court in Illinois in Devine v. Kapasi provides more ammunition for companies seeking a viable cause of action against those who obtain unauthorized access to their networks.  The court ruled that a "facility through which an electronic communication service is provided" can legitimately file suit under the Stored Communications Act (SCA) (18 U.S.C. § 2701, et seq.) when it is breached, even if that facility does not provide such services to the public.  In other words, the court made clear that a private server also falls under the umbrella of the SCA prohibition on unauthorized access. The ruling also underscores how the SCA can serve as a complement to, or substitute for, the Computer Fraud and Abuse Act (CFAA).  Indeed, as the Plaintiffs saw first-hand in this case, most private sector plaintiffs making a CFAA claim suffer the disadvantage of having to prove a statutory threshold of damage "aggregating at least $5,000 in value."  A cause of action under the SCA has no such threshold.

Court Affirms An ISP Is Not Joe Friday Just For Patrolling Its Own Turf

The Fourth Circuit recently concluded in U.S. v. Richardson that an Internet service provider's screening of users' communications for images of child pornography did not make it an agent of the government, and thus did not implicate the Fourth Amendment.  Even though federal law requires ISPs to report any “apparent” child pornography that they come across, the court reasoned, this reporting obligation does not require or even encourage ISPs to go looking for such material.  The decision leaves open the question of what other actions by the government to encourage reporting, or to influence the manner in which screening is done, might cross the line and turn ISPs into government agents.  These questions are relevant not just to reporting of child pornography, but to other areas in which the government might urge, or even require, communications providers to screen packets that cross their networks, such as in an effort to detect malware or copyrighted material.

European Disunity Not Limited to World Cup

While France seems on the verge of national implosion as it searches for reasons for Les Bleus’ dreadful performance in the group round of the World Cup, the infighting is almost as bad over in Brussels when it comes to sharing data for counterterrorism purposes with the United States.  As we reported earlier this month, the European Commission adopted a second draft agreement that would allow the United States to access financial payment information stored in the European Union by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), an international banking consortium.  Although the agreement was signed by EU and U.S. representatives earlier, it must still be approved by the European Parliament.  European Data Protection Supervisor Peter Hustinx criticized the new draft agreement as still not going far enough to protect Europeans’ personal information.  But recent reports indicate a compromise has been reached, and that Parliament is expected to approve the new agreement soon.

Mexico Takes a Step Closer to Joining the Data Protection Club

The Mexican Senate unanimously passed federal privacy legislation in April that aims to bring the nation's personal data protection and regulatory regime more in line with those of Asia-Pacific Economic Cooperation (APEC), the Organisation for Economic Co-operation and Development (OECD), and the European Union. There are several provisions of the bill that are especially noteworthy for any company processing the personal data of Mexican citizens -- including notice and consent rules, limits on data retention and transfer, and a breach notification requirement. The bill also includes fairly stringent penalties for the neglectful processing or intentional misuse of such data.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.