New Developments in ECommerce Law

1
New Developments in E-Commerce Law

• NW E-Commerce Roundtable
• March 11, 2004
• Holly K. Towle

2
Todays presentation

• Recent laws
• Attribution
• FACT and Identity Theft

3
Recent legal developments in e-commerce

• CA Online Privacy Protection Act. As of July 1,
  2004, California will be the first state to
  require online businesses (general) dealing with
  consumers to post and abide by a privacy policy.
  
• CA Direct Marketing Disclosures. As of January
  1, 2005, CA will require businesses to disclose
  the names and addresses of all third parties to
  whom the business provided consumer information
  for direct marketing purposes. Categories of
  info too.
• FTC attitude sea change patch on time and have
  adequate security revise all privacy policies
• Ellision (9th Circuit) have and enforce DMCA
  policies for terminating repeat infringers
• Remsburg (RI supreme court) new liability of
  information providers?
• Credit and Debit Card E-Receipts dont
  electronicaly print gt than the last 5 numbers
  dont print the expiration date. (FACT)
• CAN-SPAM

4
Controlling the Assault of Non-Solicited
Pornography and Marketing Act of 2003

• CAN SPAM
• Effective January 1, 2004 Prospective CEMM
  sent gt January 1
• 5 specific requirements for all commercial e-mail
• prohibition against false headers
• prohibition of deceptive subject headings
• operational return address
• prohibition of transmission after objection
• advertising identifier, opt-out notice, physical
  address
• CEMM any email if primary purpose is
  advertisement or promotion of commercial product
  or service (except transactional or relationship
  messages)
• Beneficiary liability
• Put up the right notice to qualify for protection
  against harvesting and dictionary attacks (and
  trespass)

5
Attribution the Achilles heel of e-commerce

• The problem lies in proving
• That the person you are dealing with really is
  the person with whom you believe you are
  contracting or
• At least, proving that the person or entity you
  believe should be involved has the legal
  liability
• EDI is done by express contract
• The question is
• When can electronic conduct or operations,
• such as a clicking I agree,
• be attributed to a particular person in law or
  fact?
• The answer is not in the laws (UETA, E-Sign or
  UCITA)

6
U.S. financial institutions regulators
characterize attribution methodologies as
involving 3 basic factors

• Something the user knows (e.g., password, PIN)
• Something the user possesses (e.g., ATM card,
  smart card) and
• Something the user is (e.g., biometric
  characteristic, such as a fingerprint or retinal
  pattern)
• The more of these factors an attribution
  procedure uses, the more reliable it is likely to
  be. Thus, an ATM transaction typically requires 2
  factors something the user knows (the PIN) and
  something the user possesses (the ATM card).

7
Common mistakes

• Who knows the answers? Assume Husband loan
  applicant can answer all identifier questions
  (city of Wifes birth, a parents birthday,
  favorite sport etc.)
• Authenticating the machine instead of the person
  (e.g., forgotten passwords)
• Viewing the issue as one of business risk only.
  The world changes with FACT and identity theft.
• Failing to plan for the coming clash between
  attribution (e.g., FACT) and privacy laws

8
Identity theft

• One of the fastest growing crimes in the nation
  
• The crime of the new millennium

• FTC 2003 Study
• Impact 4.6 of population
• Existing credit card accounts 6.0
• New Accounts 4.7
• Credit cards 8
• Loans 5
• Telephone services 5
• Checking/Savings 3
• Internet 2
• Other 1
• Insurance 1

• But the most common way to obtain information is
  lost or stolen wallets, purses and mail

9
What is Identity Theft?

• Identity Theft is variety of crimes, all of which
  involve stealing someones personal identifying
  information to open a new account, take over an
  existing account, or pose as someone else for
  various purposes
• The violation of some 180 federal criminal
  statutes can potentially fall within the ambit of
  the federal identity theft act

10
How Does Identity Theft Happen?

• Stolen Goods Containing Identity Information
  (e.g., pdas, purses, briefcases etc.)
• Familial and household workers
• Mail Intercepts
• Misuse of documents (e.g., data mining)
• Dumpster Diving
• Inside Jobs (employee misuse of access)
• Change of Address
• Internet (electronic resources, exchanges and
  compilations)
• Presenting victims name to law enforcement
• Presenting victims name to an employer

11
Example of attempted identity theft
12
Who is an identity thief and what happens?

• FTCs 2003 Report a victim is more likely to
  know the thief the more serious the crime
• 26 of all victims knew the thiefs identity
• FTC 2003 Report for most victims of identity
  theft (63), there is no loss of money
  out-of-pocket
• 35 of all victims resolved all problems in
  one hour or less. Regardless of the misuse, ½
  said they are not very or not at all
  concerned that it might happen again
• only 26 even contact law enforcement
• But thats not where the law is going..

13
Identity Theft and Assumption Deterrence Act of
1998

• Specifically labels identity theft a crime
• Prior to passage, only unauthorized use or
  transfer of identity documents (e.g., social
  security card) was the crime
• 18 USC 1028(a) (7) knowing transfer or use,
  without lawful authority, of a means of
  identification of another person with the intent
  to commit, or to aid or abet, any unlawful
  activity that constitutes a violation of federal
  law or state felony law
• means of identification any name or number
  that may be used, alone or in conjunction with
  any other information, to identify a specific
  individual, including . . .

14
The federal act also

• Makes identity theft a separate crime against the
  person whose identity is stolen
• Previously, if a victims information were stolen
  from a bank, the crime was viewed as having
  occurred against the bank.
• Cf tort law. There tends to be no duty to
  non-customers. See Huggins v. Citibank, N.A.
  (claim by non-customer victim against bank for
  negligent issuance of credit card not actionable)
• But see Remsburg v. DocuSearch Inc. (info
  provider liable to victims estate for selling
  info w/o asking purpose, given threat of identity
  theft and stalking)

15
What about the other victim (the one who is
duped)?

• Under state law, the victim whose id is stolen is
  not liable for the debt, security interest or
  other aspect of the transaction. That means,
  enforcement requires proving who you are dealing
  with.
• ID theft statutes are not viewing the duped
  person as a victim but, instead,are tending to
  penalize them or impose duties on them
• CA Civ. Code 1798.93 up to 30,000 civil
  penalty if, after notice of likely id theft,
  failure to diligently investigate and continue
  to pursue its claims against victim (who wins)
• CA Penal Code 530.8 (as amended 2003) 100 per
  day for failure to provide info to victim atty
  fees all other remedies
• Statutes are also making it harder to verify
  identity, e.g., CA
• New drivers license confidentiality act
• Restrictions on transmission of SSN, including
  embedding it electronically
• Cant condition credit card use on id if
  recorded.
• CF WA RCW 19.192 (credit card merchant contracts
  void citizens should be able to take reasonable
  steps to prevent themselves and their communities
  from falling victim to crime)

16
Enter the newest federal act, FACT (Fair
Accurate Credit Transactions Act of 2003)
FACT

• At least covers if business is
• is notified by a consumer that he or she may be a
  victim
• uses a consumer report (e.g., checking a new
  employee or tenants background or deciding to
  extend credit or provide goods or services)
• furnishes information to a consumer reporting
  agency or is one
• shares consumer information with affiliates
• sells, transfers or places for collection, debt
  involving identity theft
• electronically prints receipts showing credit or
  debit card numbers or expiration dates, or
• uses credit scores, makes offers to prescreened
  customers, or uses medical information.

17
Examples of new duties for persons dealing with
identity thieves

• Must provide info upon request of victim (the one
  whos identity is stolen)
• These notices can be directed to certain
  addresses and conditioned on receipt of certain
  information
• Cannot proceed with some transactions if theres
  a fraud alert. Note impact on automated systems.
• The creditor provisions may apply to trade
  credit and business credit this might have
  unexpected impacts and pull in telephone
  companies and Internet service providers
  unexpectedly
• Furnishers of info to CRAs must establish new
  procedures and avoid repollution they must
  also engage in direct dispute resolution
  procedures
• Myriad state laws are clearly preempted. Others
  are not so clear

18
Conclusion

• Be careful out there its not just a business
  decision to take the risk of dealing with the
  wrong person
• Losses can be more than the amount of the
  transaction
• New duties and penalties exist
• There will be tension between the need of the
  vendor to prove identity or to provide
  information to victims ??? privacy laws
  restricting what the vendor may collect or
  disclose
• Establish appropriate policies and procedures

19
Questions?

• Holly K. Towle (HollyT_at_PrestonGates.com)