Information Commissior Office (UK) publishes guidance on changes to notification fee

The Information Commissioner's Office (ICO) has published a guidance note, which will come into effect on 1 October 2009, on changes to the notification fee system for data controllers under the Data Protection Act 1998. Under the two-tier notification fee system for data controllers due to be introduced under the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (SI 2009/1677), a data controller with an annual turnover of £25.9 million and 250 or more members of staff, and public authorities with 250 or more members of staff, will have to pay initial and annual renewal notification fees of £500, while other data controllers will continue to pay a £35 fee (see Legal update, New data protection regulations introduce two-tier notification fee structure). Among other things, the ICO's guidance explains the criteria used to determine which tier a data controller is in; provides details of certain organisations, such as charities, which will always be deemed fall into the lower tier, regardless of their size or turnover; and explains the rationale for the fee changes.

Source: ICO guidance, Notification fee changes.

IPO rejects opposition to YOU CAN'T BE A VIRGIN ALL YOUR LIFE ITS TIME mark for telecoms

A hearing officer of the Intellectual Property Office has dismissed Virgin Enterprises Limited's opposition to an application to register YOU CAN'T BE A VIRGIN ALL YOUR LIFE ITS TIME for, among other things, telecommunications in class 38. Virgin Enterprises relied on its earlier registrations of VIRGIN for identical services in class 38 to oppose the mark under section 5(2)(b) of the Trade Marks Act 1994 (TMA). The hearing officer held that there was very little similarity between the marks, and that the average consumer would not assume that there was an economic association between the parties so as to give rise to a likelihood of confusion. The hearing officer also dismissed Virgin Enterprises' opposition under section 5(3) of the TMA, which was based on its earlier mark VIRGIN MOBILE in classes 9 and 38. He held that, although the name VIRGIN MOBILE had acquired a reputation as a trade mark in relation to mobile phones and telecoms, the relevant public would not make a link between the respective marks on account of their lack of similarity. The hearing officer did not consider that the applicant's ordinary English-language use of the word "virgin" amounted to taking advantage of the VIRGIN mark. Case: Application no. 2466095 to register the trade mark YOU CAN'T BE A VIRGIN ALL YOUR LIFE ITS TIME and opposition no. 96472, BL 0-216-09, 23 July 2009.

©Legal & Commercial Publishing Limited; Practical Law Company Limited 2009

High Court upholds claim for misuse of confidential information, breach of database right and passing off against ex-employee

The High Court has held that an ex-employee who copied and retained various documents and information belonging to his ex-employer, including thousands of contact details and sales figures, had acted in breach of confidence. Peter Smith J said that the claimant's database was an important tool as it provided an immediate base which the ex-employee could use to start up his rival business of organising conferences. He held that the ex-employee's activities amounted to a classic springboard operation. The judge also held that the ex-employee's acts in extracting a large amount of information from the claimant's database was a breach of article 16(1) of the Copyright and Rights in Database Regulations 1997, as it was clear that the database had been created with substantial investment in obtaining, verifying and presenting its contents. The judge also upheld a claim in passing off as the ex-employee had suggested that the conference his company was organising was a follow-up to the conference the claimants had held the previous year. Case: First Conferences Services Limited & another v Richard Bracchi & another [2009] EWHC 2176 (Ch), 26 August 2009.

Argentine Court Holds Yahoo!, Google Liable for Defamatory Third-Party Content

They say a picture is worth a thousand words, but an Argentine court recently ruled that a picture can also be worth thousands of dollars in damages. Virginia Da Cunha sued Yahoo! and Google for damages after photos of her that were posted on sex-trade websites, without her consent, appeared in the results of Internet searches for her name. A civil court in Buenos Aires ruled for Da Cunha and awarded her $26,248 in damages, finding that the search engines actively amplified the harm of the defamatory third-party postings by making the sex-trade websites more accessible than they would otherwise be. The court also held that neither company was doing enough to guard against such harm to individuals.

© Copyright 2009 Steptoe & Johnson LLP

District Court “Backs Up” from Ninth Circuit’s Ruling on Access to Stored Email

A district court in Illinois recently determined that opened, web-based emails held by an Internet Service Provider are not in “electronic storage” within the meaning of the Stored Communications Act (SCA). Accordingly, the government could obtain such emails with a mere subpoena rather than a search warrant. The district court came to this conclusion despite the Ninth Circuit’s contrary ruling in Theofel v. Farey-Jones which, as we previously reported, reached a broader interpretation of “electronic storage” and thus affords greater privacy protection for emails.

© Copyright 2009 Steptoe & Johnson LLP

Payment Card Industry Issues Data Security Guidance for Wireless Networks

The Payment Card Industry Security Standards Council released a new set of recommendations on how organizations subject to the PCI Data Security Standard (DSS) should address the data security concerns raised by wireless networks. The DSS requires all participating “merchants, banks, [and] POS [point of sale] vendors” -- as well as their service providers and other contractors -- to implement six sets of security requirements: build and maintain a secure network, protect card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. As we have previously reported, the latest version of the DSS added a requirement that covered entities ensure that "wireless networks transmitting cardholder data or connected to the cardholder data environment [CDE] ... use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission." The guidance issued last month by the Standards Council offers suggestions on how to comply this requirement.

Is There Such a Thing as an Honest Hacker?

According to the Second Circuit, there just might be. In reviewing a district court’s denial of a preliminary injunction against an alleged computer hacker accused of insider trading, the court drew a distinction between two types of hackers: one who misrepresents her identity to gain access to a computer, and another who takes advantage of a security glitch to achieve the same end. The court suggested that the latter conduct might not be “deceptive” within the meaning of section 10(b) of the Securities and Exchange Act of 1934.