Related Practices

E-Commerce Law Week, Issue 637

January 1, 2011

Some Injuries Just Don't Hurt

“Injury in fact” and “actual loss or damage” would seem, to the untrained eye, to be the same thing.  But, as demonstrated in data breach cases, you can have the first without the second, and thus have standing to sue in federal court but not a cognizable negligence claim.  In Krottner v. Starbucks, the Ninth Circuit found that the increased risk of identity theft constituted "injury in fact" and thus gave plaintiffs standing under Article III, Section 2 of the U.S. Constitution.  It also found that a plaintiff's alleged stress and anxiety arising from a data breach was sufficient to confer standing.  But the court ruled, in a second, unpublished opinion, that the allegation of a risk of future harm did not constitute “actual loss or damage” necessary to make out a negligence claim under the law of Washington State.  The Ninth Circuit’s decision that standing could be predicated on the risk of future identity theft appears to deepen a circuit split on this issue.

Court Guts Usefulness of CFAA for Employers

A federal court in California recently adopted an extremely narrow interpretation of the Computer Fraud and Abuse Act (CFAA) which, if adopted by other courts, would make it much more difficult for companies to go after rogue employees who make off with proprietary data or undertake some other harmful activity on a company computer.  In Accenture, LLP, v. Sidhu, the court essentially held that if an employer makes a computer available to an employee, that employee is “authorized” to access that computer for any reason, even if his access violates company policy.  This is an issue that has repeatedly split the courts.  But even among courts that have adopted a narrow view of the CFAA’s applicability, the Accenture court’s decision stands out as one of the most restrictive.

European Parliament Seeks Crack Down on Behavioral Advertising

The European Parliament has issued a resolution calling for tighter regulation of the online advertising industry and better safeguards for consumers.  The resolution focuses on behavioral advertising, which it says “constitutes a serious attack on the protection of privacy.”  Earlier this year, the EU Article 29 Data Protection Working Party issued an Opinion that called for, among other things, a “consent button,” which would restrict behavioral advertising to people who had actively approved its use.  The resolution also delves into the area of keyword search terms, recommending that the EU restrict search engines from selling trademarked brand names as advertising keywords.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.