E-Commerce Law Week, Issue 437

January 6, 2007

Court Rules that Failure to Mitigate Has No Impact on CAN-SPAM Awards

Thanks to a recent ruling by a federal court in California, Internet service providers may have one fewer hurdle to clear when seeking damages from spammers.  Under the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, "a provider of Internet access service" that has received emails bearing false or misleading "from" lines or deceptive "subject" lines may recover damages "equal to the greater of … actual monetary loss" or certain enumerated statutory damages.  Less clear has been whether an ISP's failure to mitigate damage by taking steps to avoid receipt of the emails has any bearing on a defendant's liability or the damages recoverable under CAN-SPAM.  In Phillips v. Netblue, Inc., the court concluded that because Congress intended CAN-SPAM "to penalize the spammer as opposed to compensate the victims of spam, ... the doctrine of the mitigation of damages has no applicability to any determination regarding the award of such damages."

Bush Signs VA Breach Notification Law:  Will Private Sector Legislation Follow?

President Bush recently signed the Veterans Benefits, Health Care, and Information Technology Act of 2006, which requires, among other things, that the Veterans Administration "prescribe interim regulations" for the provision of several data breach response measures, including notification to veterans in cases where there is "a reasonable risk … [of] the potential misuse of sensitive personal information."  Although the new law applies only to the policies and practices of the VA and its contractors, it could serve as a model for more broadly applicable federal breach notification legislation, which Democrats have promised to push in the new congressional session. Moreover, the law requires the VA to "establish and maintain a comprehensive Department-wide information security program," the details of which could inform future congressional or regulatory efforts to define "reasonable" data security.  So the private sector should watch closely as the Act is implemented.  Meanwhile, while the private sector awaits possible federal notification legislation, action continues at the more local level.  Lawmakers in Michigan and Washington, D.C., recently passed legislation requiring companies to notify customers in the case of a data breach.  While the Michigan bill was signed by the Governor on January 3, the D.C. bill requires the approval of Congress, which seems likely.  Unless Congress quickly passes national data breach notification legislation with a strong preemption provision, the crazy quilt of state and local laws may soon become even more difficult to negotiate.

French Court Suggests That Processing IP Addresses Requires Government Approval

We can't tell whether the Beatles' song You Know My Name (Look Up The Number) was one of the 12,000 songs illegally downloaded by French citizen Laurent Fernandez using P2P software in 2001 through 2004.  But in deciding in December that Fernandez could not be prosecuted for those downloads, a French lower court clearly seemed to have similar thoughts to those of the Fab Four when singing this song.  Or rather, the reverse.  With potentially far reaching implications, the court decided that the tracking of Fernandez' downloads using his IP address involved processing of personal information, and that this was unlawful without the approval of French data protection authority the Commission Nationale de l'Information et des Libertés ("CNIL").  If the decision by the court is upheld, the implications could extend far beyond the context of the fight against P2P music piracy.  A huge number of activities on the Internet involve processing of IP addresses, and the (entirely impractical) implication is that many of these activities could be subject to a CNIL approval requirement.  Moreover, the issue is not necessarily limited to France; although not all EU member states have the same strict data protection authorization requirements that exist in France, many have similar requirements.  We doubt that the court's decision will ultimately lead to such serious legal restrictions on the ordinary operation of the Internet, but the issue nevertheless bears watching as the case proceeds through the French appeals process.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.