The following text is
copyright 2004 by Network World, permission is hearby given for reproduction,
as long as attribution is given and this notice is included.
Knitting
legal patchwork quilts
By Scott Bradner
One of the most difficult
features to deal with on the Internet is the lack of any understandable
localization of authority. Once
upon a time when a country or state within a country enacted a law regulating some
aspect of human or corporate behavior it was generally easy to figure out if
the law applied to you. A Boston
law against spitting on sidewalks or regulating the size of billboards could be
safely ignored in Chicago. Chicago
could have its own laws dealing with spitting or billboard size and those laws
would apply to people or businesses in Chicago. It's not so easy to similarly localize a law's area of
application when the law applies to activity or content on the Internet. With the Internet, a German law
restricting the publication of Nazi propaganda or an Australian libel law can
have impacts in the US, as has been proven in the last few years. Within the US we have been getting a
spate of state laws that may or may not impact out of state companies providing
services over the Internet or out of state Internet users. California has been
particularly good at passing such laws but I wonder if, in the end, California
's aggressiveness will be rewarded by federal preemption.
I've already written
about what has been referred to as the California Database Breach Disclosure
Act (http://www.nwfusion.com/columnists/2004/0517bradner.html
- text at http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html)
which was passed two years ago and requires anyone who gets a computer
containing certain kinds of unencrypted data about California residents hacked has to notify those residents of the breakin. Until next January 1 the only pain that
the computer owner suffers is embarrassment.
After January
1 the recipient of such a letter may be able to forward the disclosure letter
to their lawyer who could start getting a lawsuit together. California
has just added teeth to the breakin disclosure act with a new law (http://leginfo.ca.gov/pub/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.pdf)
approved by the Governor the end of September that requires that companies with
unencrypted data described in the law to "implement and maintain
reasonable security procedures and practices" to protect the data. The new law does not block private law
suits so you can expect that many disclosures will result in law suits -- maybe
you better figure out how to encrypt the data.
Another California law that went into effect on July 1st
this year requires that websites that deal with individual consumers residing
in California publish and abide by privacy statements. (http://info.sen.ca.gov/pub/bill/asm/ab_0051-0100/ab_68_bill_20031012_chaptered.pdf) The law includes specific
requirements about what the privacy statements have to include and how
they have to be advertised on the web site. This law also does not block
private law suits.
Finally,
another new law due to take effect on January 1st requires any California company
employing more than 20 people that collects a wide range of personal
information about individuals to disclose, upon request, what information they
share with which direct marketers. (http://info.sen.ca.gov/pub/bill/sen/sb_0001-0050/sb_27_bill_20030925_chaptered.pdf)
Depending on the definition of a "California company" this last bill may or may not impact
companies outside of California but since the law specifically permits
awarding a penalty I expect some lawyers test the boundaries.
California is not alone.
Other states are also passing these types of laws. The last time we had a lot of state level laws being passed
it was over spam. Bowing to
business complaints of having to deal with a legal patchwork quilt the U.S.
Congress passed the permission-to-spam act. (http://www.nwfusion.com/columnists/2004/0426bradner.html) I expect the same thing to happen with
each new hot issue -- Congress will pass legislation to preempt and gut the
much stronger state initiatives.
disclaimer: Harvard is
not of one mind on legislation, the B School likes legislation that guts rules,
the School of Government likes any legislation , and the Law School likes
conflicting legislation but I consulted none of them for this column.