Photo of Scott Carpenter

A U.S. District Court for the Middle District of Florida recently issued a preliminary injunction ordering CyberSpy Software, LLC to stop promoting and selling “RemoteSpy,” a keylogger software program that, once installed on a computer, collects information regarding use of the computer.

The Federal Trade Commission (“FTC”) recently announced that it will not enforce the new Red Flag Rules until May 1, 2009, giving financial institutions and creditors an additional six months to comply by developing and implementing a written identity theft prevention program.  In an Enforcement Policy Statement released on October 22, 2008, the FTC acknowledged the uncertainty felt by many entities and some industries regarding whether they would be considered “covered entities” and thus subject to the rules. This announcement though does not affect companies subject to the enforcement authority of federal agencies other than the FTC.

On September 4, 2008, in American Bankers Association v. Lockyer, No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008), the Ninth Circuit Court of Appeals revived part of the California Financial Information Privacy Act (“S.B. 1”), allowing consumers to opt-out of certain information-sharing activities between financial institutions and their affiliates. Previously, in the 2005 case American Bankers Ass’n. v. Gould, 412 F.3d 1081 (9th Cir. 2005), the Ninth Circuit ruled that the state statute was preempted by provisions of the Fair Credit Reporting Act (“FCRA”) regarding affiliate sharing of “consumer report” information.  The recent 2-1 decision preserves consumers’ rights under California law to restrict affiliate data-sharing related to non-consumer report information.

On May 16, 2008 the U.S. Court of Appeals for the Fifth Circuit agreed with a number of other courts, holding that the Communications Decency Act (“CDA”) (47 U.S.C. Sec. 230) protects social networking websites from liability with respect to negligence claims based on third-party content published on the website and the consequences stemming from such content. In Doe v. MySpace, Inc., No. 07-50345, 2008 WL 2068064 (5th Cir. May 16, 2008), the plaintiff argued that MySpace negligently failed to implement appropriate technological safeguards to prevent the plaintiff, a 13-year-old, from registering on MySpace. The plaintiff lied in her registration materials, pretending to be 18 years old, and ignored MySpace’s warnings against sharing personal information on the website by posting her phone number. According to the plaintiff, the technological safeguards would have prevented her from meeting and being sexually assaulted by another MySpace user.

Website Operator Can Be Held Liable for State Intellectual Property Violations

A federal district court in New Hampshire recently ruled that Section 230 of the Communications Decency Act of 1996 (“CDA”) does not prevent a state law right of publicity claim against a Website operator. In Doe v. Friendfinder Network, Inc., No. 07-286, 2008 WL 803947 (D.N.H. March 27, 2008), a profile of the plaintiff, including a nude photo and biographical information, was posted by an unknown third party on AdultFriendFinder.com, an online swingers community, without the plaintiff’s knowledge or consent. The plaintiff asserted eight claims against the Website for, among other things, invasion of privacy (including violation of her right of publicity), defamation and false designation in violation of the Lanham Act. On the site’s motion to dismiss, the district court found that all of plaintiff’s claims were barred by the CDA, except her false designation and right of publicity claims. In so holding, the district court challenged and criticized a recent Ninth Circuit decision regarding the CDA’s immunity.

In light of growing concerns over identity theft, data breaches, and the hacking of online brokerage accounts, the Securities and Exchange Commission (“SEC”) has recently proposed new amendments to Regulation S-P – the SEC’s existing privacy rules mandated under the Gramm-Leach-Bliley Act. The SEC’s unanimous approval of these proposed rules signals the Commission’s desire to more closely align its privacy guidelines with those of the Federal Trade Commission (“FTC”) and the Federal Banking Agencies, which adopted data breach notice rules in 2005. For regulated companies, however, the amendments could mean additional costs and liabilities.

Businesses are on notice to pay more attention to computer security in order to protect business assets and private information, and to thwart infiltrations that threaten interconnected computers.  And help is available from the United States Computer Emergency Readiness Team (“US-CERT”).

Department of Homeland Security (“DHS”) Secretary Michael Chertoff and Assistant Secretary of Cybersecurity Greg Garcia recently warned that an uptick in cyber attacks  reveal a growing threat to critical U.S. infrastructure and private networks. Garcia warned that hackers “are making massive efforts to compromise computer systems on a global scale,” a reference to the fifty percent in crease in cyber-attacks between 2006 and 2007.  Chertoff called upon businesses to help protect networks and infrastructure from infiltration and data theft.  Secretary Chertoff remarked, “There’s no question this is the vulnerability of the 21st century.”