ReedSmith
July 2006
Volume V, Number 6
Serving Clients in
a Digital World
LegalBytes
Disclosures, Decency and Data Security
For the record, privacy, data protection, information security and international law
have officially converged with management, compliance and marketing. More than 30
U.S. states have now passed legislation in one form or another that requires businesses
to notify consumers if an actual or potential breach of data security may lead to the
compromise of personally identifiable information. This comes on the heels of several
years of the government tightening its own policies regarding data security breaches
and instances of compromised security.
Light Bytes
“A resolution to avoid an evil is
seldom framed till the evil is so far
advanced as to make avoidance
impossible.”
— Thomas Hardy
NEW YORK
LONDON
LOS ANGELES
PARIS
SAN FRANCISCO
WASHINGTON, D.C.
PHILADELPHIA
PITTSBURGH
OAKLAND
MUNICH
PRINCETON
NORTHERN VA
WILMINGTON
NEWARK
MIDLANDS, U.K.
CENTURY CITY
RICHMOND
r e e d s m i t h . c o m
Recently, the Office of Management & Budget, which oversees U.S. federal agencies,
announced a tougher policy for government, requiring agencies to follow the security
procedures checklist prepared by the National Institute of Standards and Technology
(“NIST”) to protect data. An internal OMB memo recommends that data on mobile
computers and devices carrying agency data be encrypted, and suggests two-factor authentication (one being separated from the actual computer obtaining access to the data).
As noted in prior issues of Legal Bytes, requirements and compliance obligations for
commercial enterprises doing business across state lines and national boundaries
vary, although many have common themes. If you are concerned—and you should
be—contact us ([email protected]). We can help you sort out your current
compliance obligations and help you keep track of the changing privacy and data
protection landscape, both domestically and internationally. Even if you choose not to
inject your views into the regulatory process, you must keep abreast of developments
or risk action by consumers and regulators.
This whole area is churning with activity and, like the migration of computers from
technology organizations to mainstream business management decades ago, privacy
and data protection are evolving from a technology problem to an issue throughout
the world of management, marketing and business process. On a global scale, disharmony in legal systems is a major roadblock to everything from the war on terrorism
and money laundering, to the simple acceptance of credit cards by merchants and air
transportation. Recently, Europe’s highest court ruled an agreement made in 2004 that
allowed airlines to share 34 items of information about every passenger flying from
Europe to the United States—in an effort to fight terrorism—is illegal. The United
States threatened to strip air carriers of landing rights if an agreement was not reached,
and now the European Court of Justice has allowed the arrangement to continue only
until September 30 so the parties can forge a new arrangement.
A New York Senator has proposed legislation that might concern marketing professionals (Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006,
S. 3713). In addition to requiring notice to consumers, the act allows them to place a
permanent security hold on credit information; requires opt-in consent by consumers
to financial institutions before sharing information with third parties; and contemplates
a private right of action for damages, and—if identity theft occurs—damages up to
$5,000 per person.
ReedSmith
Several years ago, the Payment Card
Industry, comprised of the major credit
card and payment instrument issuers
and processors, announced Data Security
Standards and Audit Guidelines. Requiring encryption and secure storage of personally identifiable payment transactional
and related data, merchants are faced with
certifying, documenting and ensuring
compliance or being deprived of the ability to accept payment instruments issued
by the card industry issuers and processors. This is hardly an esoteric issue.
Visa fined BJ’s credit card processor upon
discovering the processor’s system improperly kept magnetic-stripe data after
sales were consummated, in violation of
Visa’s operating regulations. Reissuing
new account numbers and cards—in
addition to covering unauthorized charges—created damages for Sovereign Bank
(among others), and Sovereign sued BJ’s
and its processor. A U.S. District Court in
Pennsylvania has ruled Sovereign may not
recover losses from its payment processor and is not a third party beneficiary of
Visa’s agreements with the processor. In
dismissing the breach of contract claim
against the processor, the court concluded
that simply because Visa U.S.A. had contracts with processors to protect its payment processing system does not mean
the bank, or any other entity that touches
the system, is an intended beneficiary of
that agreement. This is not the only, not
the first and likely not the last case involving allocation of risk and the protection
of information and data flowing through
virtually every merchant, financial institution and government system in the
world today.
The Medium May Be the Message, but Content is
Still King — Sex, Lies and Videotape
The Mobile Marketing Association has promulgated guidelines, now adopted by many
leading wireless carriers and programming networks, to deal with the growing use of
email, SMS (text messaging) and similar mechanisms in advertising and marketing.
As you will recall, legal and regulatory actions have arisen based on the fact that some
companies’ marketing practices fail to adequately disclose the charges, whether subscription or imposed by the wireless carriers, that apply to some of their services and,
in some cases, to the advertisements and marketing messages themselves.
Wireless carriers are beginning to adopt content guidelines for what they will or will
not transmit from content partners—regulating such things as sexually explicit, graphic
violence, profanity, hate speech and other topics, words and images—in some cases including lengthy lists of “forbidden words.” CTIA, the wireless industry trade association,
issued fairly broad content guidelines last November, but left the specific implementation
to the individual carriers. Some carriers have carried this implementation to a level of
detail that covers everything from games, music, images and video, and in some cases
even governs the file names of anything downloaded or transmitted.
Wait until you wake up to the issues raised by transmission and posting of “user
generated content.” As you may know, in addition to the FTC regulating advertising
and certain content in the U.S., and on top of state laws, the Federal Communications
Commission (“FCC”) having authority to regulate indecent content on television and
radio and the mobile phone as a media and entertainment device is no longer fiction,
but fact in many cases. Did you know that our Advertising, Technology & Media
Law group has significant experience in all these areas (Judith Harris for FCC and
communications—[email protected]; Doug Wood for advertising and marketing—[email protected]; and, of course, any of us or me, jrosenbaum@reedsmith.
com, if you simply can’t figure out where your need fits).
Useless But Compelling Facts
Name the only letter in the alphabet pronounced with more than one syllable, and name at least two distinct English common words
(not derivates, plurals or conjugation) with three consecutive double letters. Send your
answers to [email protected]. Reed Smith employees are ineligible.
EDITOR-IN-CHIEF
A quick apology to Scott Morton at JDS Uniphase in the UK. Although not first, he did
correctly decipher the “code” with the dual attribution to DaVinci and Paine, and the four
“-ous” words. We hope the British also forgive us for our Independence! Cheers.
Answers to last month’s multi-part question: The living person with the most Academy
Award® nominations – John Williams with 41; the leading actor/actress who has won the
most Academy Awards® – Katharine Hepburn, with four Leading Actress Oscars®; the person
who has won the most Oscars® and won each time nominated – Mark Berger, with four in
the Sound category; and only three motion pictures have swept awards for Best Picture,
Director, Lead Actor and Actress, and Writing – It Happened One Night (1934), One Flew
Over the Cuckoo’s Nest (1975) and The Silence of the Lambs (1991). Our winner: first, fastest
and astounding is Richard Fine in the legal department of IBM, with a close second coming
from Ellen Goldberg at JPMorgan Chase in the UK, soon to be returning to the U.S. This
was difficult so we are awarding both a first prize and a runner-up prize. Kudos!
Joseph I. Rosenbaum
New York
212.702.1303
[email protected]
If you would like to know more about the topics in this issue, about Reed Smith or the ways
we can help serve your legal needs, please
contact Joe Rosenbaum, head of our New
York-based e-commerce practice.
The material is not intended to provide legal
advice to be used in a specific fact situation.
“Reed Smith,” which refers to Reed Smith LLP
and related entities, is a limited liability partnership formed in the state of Delaware.
©Reed Smith LLP 2006. All rights reserved.
Quality Matters.
SM
2