In a recent decision, the Northern District of California held that e-mail harvesting without permission may give rise to a cause of action under the California Penal Code and based on common law misappropriation. More striking, however, was the court’s ruling that the federal CAN-SPAM Act, 15 U.S.C. § 7701 et seq., preempts two California anti-spam statutes. Facebook, Inc. v. ConnectU LLC, — F.Supp.2d —, 2007 WL 1514783 (N.D. Cal. 2007).

In a decision that will significantly impact the ability of the government to access electronic communications, the United States Court of Appeals for the Sixth Circuit on June 18, 2007, affirmed a district court’s issuance of a preliminary injunction prohibiting governmental entities from obtaining Internet Service Providers’ (“ISP”) subscribers’ e-mail communications unless the subscriber first receives prior notice and an opportunity to be heard.  Warshak v. United States, No. 06-4092 (6th Cir. 2007). The Court found unconstitutional the Stored Communications Act (“SCA”) provisions allowing Government seizure of such communications without prior subscriber notice, because the court order could be issued without a showing of probable cause that the subscriber had committed a crime. The Sixth Circuit found that individuals have an expectation of privacy regarding the contents of emails sent or stored through an Internet Service Provider (ISP).

In a recently unsealed order, Central District of California Magistrate Judge Jacqueline Chooljian ruled that data contained in a computer server’s Random Access Memory (RAM) is “electronically stored information” for purposes of Federal Rule of Civil Procedure 34. She also ordered the defendant to begin logging the contents of certain servers’ RAM and producing the logs.

A recent decision from the Southern District of Ohio echoes prior decisions of district courts addressing negligence claims against companies that have experienced a data breach. The court held that the cost of obtaining credit monitoring services does not count as damages without evidence of identity fraud. Kahle v. Litton Loan Servicing LP, case no. 1:05cv756.

Since December 4, 2006, consumers have filed dozens of class actions against retailers and other businesses across the country alleging “willful” violations of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act (“FCRA”), prohibiting the printing of more than five digits, or the expiration date, of a credit card on receipts provided to the customer. Defendants in those cases have been waiting anxiously for the Supreme Court to rule in Safeco Insurance Co. of America, et al. v. Burr, et al., 551 U.S. _____ (2007), a factually inapposite matter in which the Court granted certiorari to determine whether “reckless disregard” suffices for willfulness under the statute. In a decision that raises as many questions as it answers, the Supreme Court held on June 4, 2007 that “reckless” failure to comply with FCRA can be considered willful. The Court’s opinion begs the question whether it was objectively reasonable for retailers to continue the printing of expiration dates on customer receipts after FACTA took full effect.

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.

Last month the French subsidiary of the U.S. based company, Tyco Healthcare, became the first local branch of a U.S. company to be fined for data protection violations. France’s data protection agency, La Commission Nationale de L’informatique et des Libertes (CNIL) levied a fine of 30,000 euro (or about $40,350) against the company after it both ignored CNIL’s requests for clarification about one of its human resource databases and then made misrepresentations concerning the database to the regulatory agency.