Iowa Becomes Latest State to Pass Data Breach Notification Law

Iowa became the 43rd state to pass a data breach notification law (SF 2308), requiring any person who owns or licenses computerized data that includes a consumer's personal information to notify any affected consumer following a data breach that compromises the security, confidentiality, or integrity of such personal information. 

The statute contains some notable exemptions from the notification requirement.  For example, the law contains a “no harm, no notice” provision, meaning that notification is not required if, after an appropriate investigation or after consultation with the relevant law enforcement, it is determined that “no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.”  Also, the statute offers an exemption to those institutions that are subject to and comply with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act.  Moreover, like many state breach laws, such as California’s, the Iowa statute only imposes notification requirements on companies that have experienced a breach that involved personal information that was unencrypted “or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable.”  Lastly, like other states, the law allows for substitute notice provisions if either the cost of giving individual notice is greater than a certain dollar amount or the number of individual to be notified is in excess of a specified number.  Specifically, the Iowa law allows substitute notice if the cost of providing notice exceeds $250,000, the affected class of consumers to be notified exceeds 350,000, or if the company does not have sufficient contact information to provide notice.   

Disloyal Employees and the CFAA: The Debate Continues

A civil cause of action under the Computer Fraud and Abuse Act (CFAA) frequently is pleaded in cases where an employer is suing a former employee for misappropriation of trade secrets or copying of proprietary information, and the employee’s actions involved some kind of access to or use of the employer's computer network. While disloyal employee behavior could present valid claims under state trade secret law or contract law, does it present a federal case?   

Currently, federal courts are split on this issue.  In interpreting the terms “unauthorized access” under the CFAA, in certain instances, some courts have allowed cases against disloyal employees on the theory that the employee's disloyal conduct ran counter to company policy and was “unauthorized,” while other courts have held that an employee could not be liable under the CFAA where initial access to the company computers was permitted. As we have previously blogged and written about in depth, the recognition of such claims is controversial, because the usual scenario involves an employee accessing information to which the employee had authorized access at the time, at least in the common meaning of "authorized access."

As the debate continues, two courts in April have sidestepped the “authorized access” thicket and instead dismissed CFAA claims against former employees on other grounds. 

In American Family Mutual Insurance Co. v. Rickman, No. 08-583, 2008 U.S. Dist. LEXIS 32480 (N.D. Ohio Apr. 18, 2008), the court considered the issue of whether the CFAA can be used against employees who access information from a company computer and later use that information against the employer.  However, the court declined to enter the “authorized access” debate:   

The gravamen here, too, is what Defendant did with allegedly proprietary information. However, the Court need not resolve this split of authority because its analysis of "loss" under the CFAA provides a clear basis for dismissal. The Court turns to the statutory definition of "damage" and "loss" as well as case law interpreting these statutory definitions.

Thus, the court held that an alleged disloyal employee who copied proprietary company files was not liable under the CFAA because losses under the statute are compensable only when they result from damage to a computer system or an interruption of computer service.  Based upon a failure to properly plead “loss” under the statute, the Ohio district court dismissed the employer’s action and CFAA claims, noting that the employer “still has traditional state statute and common law remedies available to it for recovery against a dishonest employee.” 

Similarly, in Cohen v. Gulfstream Training Academy, No. 07-60331, 2008 U.S. Dist. LEXIS 29027 (S.D. Fla. Apr. 9, 2008), the court dismissed the employer’s CFAA counterclaim and held that an employee who copied files from his former employer's computer system is not liable under the CFAA, absent a showing of “loss” or “damage” related to an interruption of service.   Ultimately, the court ruled that the alleged copying of the employer’s files and wooing of the employer’s clients does not constitute "loss" under the CFAA absent claims related to an interruption of computer service.

Court Grants CDA Immunity for ISP Spam-Blocking

In the world of NFL football, certain prohibited blocking techniques done by the offense, such as clipping, chop blocking, and illegal blocking from behind, are penalized if the referee sees it on the field and throws a flag.  However, in the world of Internet service providers (ISPs), spam blocking is a big concern and is a desirable feature to Internet users, particularly given the latest report from Sophos stating that spam messages in the first quarter of 2008 accounted for over 90 percent of all email sent. 

However, does an ISP have any protections from the potential “penalty” of legal liability for the good faith blocking of suspected spam that the ISP deems “objectionable”?  A recent decision from the Northern District of Illinois states that under the law, a choice to block objectionable material, even a mistaken one, if made in good faith, cannot be the basis for liability under federal or state law.  In e360Insight, LLC v. Comcast Corp., No. 08-340, 2008 U.S. Dist. LEXIS 29287 (N.D. Ill. Apr. 10, 2008), the court held that the an ISP, that blocked an Internet marketer’s objectionable spam is immune from liability under the "Good Samaritan" provision of the Communications Decency Act (CDA) for claims of tortious interference and unfair practices, among others.  The court dismissed the marketer’s action, finding the ISP immune under Section 230(c)(2)(A) as an provider of an “interactive computer service” that in good faith “restricted access to” material that the provider considered “objectionable.”  The court found that the marketer’s bulk e-mails were the sort of communications that an ISP could deem to be objectionable, noting that the CDA imposes a “subjective element” and only requires that the provider subjectively deem the blocked material objectionable.  In support of this proposition, the court cited the Zango v. Kaspersky Lab decision from last year, where a district court found that a software maker, whose anti-spyware software classified an Internet software maker’s Web-based product as potential malware, was immune from liability under the CDA’s "Good Samaritan" provision. The court also rejected the marketer’s arguments that its emails complied with the CAN-SPAM Act and the ISP had no right to block them, concluding that compliance with the CAN-SPAM Act “does not evict the right of the provider to make its own good faith judgment to block mailings.” 

Ninth Circuit En Banc Affirms CDA Immunity Ruling in Roommates.com Case

In Fair Housing Council v. Roommates.com, the roommate-matching site was sued for violations of the Fair Housing Act. The Ninth Circuit, sitting en banc, has now affirmed the panel ruling that the site may be liable for violations of the FHA because of the manner in which the site elicits information from prospective roommates. To summarize, the site requires users to answer questions about sex, family status and sexual orientation, among other characteristics, in a series of structured questions, and then matches potential roommates on the basis of those characteristics. The concluded that this technique rendered Roommates.com an "information content provider" and thus outside the protection of CDA Section 230:

Here, the part of the profile that is alleged to offend the Fair Housing Act and state housing discrimination laws—the information about sex, family status and sexual orientation—is provided by subscribers in response to Roommate’s questions, which they cannot refuse to answer if they want to use defendant’s services. By requiring subscribers to  provide the information as a condition of accessing its service, and by providing a limited set of pre-populated answers, Roommate becomes much more than a passive transmitter of information provided by others; it becomes the developer, at least in part, of that information. And section 230 provides immunity only if the interactive computer service does not “creat[e] or develop[]” the information “in whole or in part.” See 47 U.S.C.§ 230(f)(3).

What impact will this ruling have? Perhaps very little, due to the unique combination of the nature of the site and the particular law allegedly violated. The Roommates site is structured in such a way that users are required to answer questions concerning protected categories such as sex, family status and sexual orientation in order to use the site. Although the court did not rule on whether the site actually violated the FHA because of the procedural posture of the case, the court noted that the FHA does provide for liability merely for asking questions about protected categories, and therefore the plaintiff had at least a "plausible claim" that the site violated the FHA.

Also, keep in mind that the Seventh Circuit ruled very recently that online site Craigslist is not liable under the FHA for discriminatory postings by its users, noting that the site does not structure the information provided by users according to discriminatory criteria. The Ninth Circuit expressed the view that its ruling is consistent with the Craigslist ruling, similarly distinguishing comments by users posted in the free form "additional comments" portion of a user's profile from information elicited via a structured questionnaire:

Websites are complicated enterprises, and there will always be close cases where a clever lawyer could argue that something the website operator did encouraged the illegality. Such close cases, we believe, must be resolved in favor of immunity, lest we cut the heart out of section 230 by forcing websites to face death by ten thousand duck-bites, fighting off claims that they promoted or encouraged—or at least tacitly assented to—the illegality of third parties. Where it is very clear that the website directly participates in developing the alleged illegality—as it is clear here with respect to Roommate’s questions, answers and the resulting profile pages—immunity will be lost. But in cases of enhancement by implication or development by inference—such as with respect to the “Additional Comments” here—section 230 must be interpreted to protect websites not  merely from ultimate liability, but from having to fight costly and protracted legal battles.

Thus, as we suggested in our previous post following oral argument the Roommates case, CDA Section 230 immunity may depend upon site design, at least in the Ninth Circuit.

Fair Housing Council of San Fernando Valley v. Roomates.com, LLC, No. 04-56916 (9th Cir. Apr. 3, 2008)

Does CDA Section 230 Protect Web Sites From State Law Right of Publicity Claims? One Court Says "No."

Section 230 of the Communications Decency Act protects Web site owners and other providers of "interactive computer services" from many types of claims based on content provided by third parties, but the statute contains a number of exceptions. One of the most significant exceptions is that for intellectual property claims. 47 U.S.C. 230(e) provides: "Nothing in this section shall be construed to limit or expand any law pertaining to intellectual property." Thus, a Web site owner remains open to liability for third party content under "intellectual property" laws.

The Copyright Act clearly is a "law pertaining to intellectual property," and thus the CDA does not protect Web site owners from copyright claims based on third party content, but Web site owners may seek protection from those claims under the safe harbor provisions of the Digital Millenium Copyright Act. Trademark laws also pertain to intellectual property, but there is no safe harbor law to protect Web site owners from trademark-related claims. Thus, they are left open to claims by trademark owners, as evidenced by the current litigation by Tiffany seeking to hold the eBay auction site liable under trademark laws for fake merchandise sold by eBay users.

But what about state law right of publicity claims? Are they claims based on laws "pertaining to intellectual property"?

In one of the Perfect 10 cases in the Ninth Circuit, the court noted the variety of state right of publicity laws, and the difficulty of classifying them. Rather than ruling on the proper characterization of those laws, the court held that the term "intellectual property" in the CDA Section 230(e) refers only to federal intellectual property rights, because allowing the states' varying definitions of intellectual property to "dictate the contours of [CDA] immunity would be contrary to Congress's expressed goal" of fostering the Internet." Perfect 10, Inc. v. CCBill LLC, 488 F.3d 1102  (9th Cir. 2007). As a result, Perfect 10's claims based upon the rights of publicity of the models depicted in its adult images (which rights the models assigned to Perfect 10) were not within the intellectual property exception to CDA Section 230 immunity and were thus precluded by Section 230.

A district court in the First Circuit has now squarely rejected the Ninth Circuit approach, ruling in Doe v. Friendfinder Network, Inc. (D. N.H. Mar. 27, 2008) that right of publicity laws are laws "pertaining to intellectual property," and thus claims under such laws are not precluded by Section 230 immunity:

    ... This court has no reason to believe that reading § 230(e)(2) to exempt state intellectual property law would place any materially greater burden on service providers than they face by having to comply with federal intellectual property law--an obligation that persists under even Perfect 10's construction of the CDA. That court’s view that “inclusion of rights protected by state law within the ‘intellectual property’ exemption would fatally undermine the broad grant of immunity provided by the CDA,” 488 F.3d at 1119 n.7, is simply unsupported.
    Thus, even if it were free to disregard the plain language of § 230(e)(2), this court cannot accept the defendants’ claim at oral argument that allowing state-law intellectual property claims to survive the CDA would have a “devastating” impact on the internet. Despite the general consensus before the Perfect 10 decision that the CDA did not shield service providers from state intellectual property law, both the internet and so-called “e-commerce” remain alive and well, and show no signs of imminent collapse.  *** Indeed, while protecting third-party intellectual property rights no doubt presents some challenges for service providers like the defendants, those challenges would appear to be simply a cost of doing business on-line. They certainly cannot support judicially rewriting the CDA, in any event.

The plaintiff in Doe v. Friendfinder alleged that she was the subject of a false profile posted by an anonymous party on an adult social networking site. Among other claims, she alleged that the false profile violated her "Invasion of Privacy/Intellectual Property Rights" under New Hampshire law.  Having held that a right of publicity claim is not precluded under Section 230, the court embarked upon exactly the kind of fine-grained analysis of the nature of the rights being asserted that the Ninth Circuit rejected in Perfect 10 v. CCBill. The court concluded that in her "Invasion of Privacy/Intellectual Property Rights" count, the plaintiff was asserting four privacy torts recognized by the New Hampshire Supreme Court, only one of which constituted a right of publicity claim. To the extent that the plaintiff was asserting invasion of privacy claims, the court concluded, those claims were precluded under Section 230:

While the plaintiff objects to the dismissal of any part of Count I on the ground that it asserts “intellectual property rights” under § 230(e)(2), her argument and authorities on that score address only the fourth theory, commonly known as a “right of publicity” claim. See, e.g., Carson v. Here’s Johnny Portable Toilets, Inc., 698 F.2d 831, 834 (6th Cir. 1983). As the plaintiff points out, “the right of publicity is a widely recognized intellectual property right.” Almeida, 456 F.3d at 1322 (citing authorities). Such a claim therefore arises out of a “law pertaining to intellectual property” within the meaning of the statute. See 1 McCarthy, Rights of Publicity, § 3:42 (opining that § 230 immunity does not apply to claim for infringement of right to publicity by virtue of § 230(e)(2)).

The other three torts encompassed by the “right of privacy” rubric, however, do not fit that description. Unlike a violation of the right to publicity, these causes of action--intrusion upon seclusion, publication of private facts, and casting in false light--protect “a personal right, peculiar to the individual whose privacy is invaded” which cannot be transferred like other property interests. *** The plaintiffs’ claims under these branches of the privacy doctrine, then, do not sound in “law pertaining to intellectual property,” and she offers no authority or argument to the contrary. While § 230(e)(2) exempts her right of publicity claim from the immunity provision of the CDA, then, that provision applies with full force to the other invasion of privacy claims asserted in her complaint.

The end result in Friendfinder is the dismissal of most of the plaintiff's claims, except her right of publicity claim, along with several trademark claims. Those claims are interesting all by themselves. The plaintiff alleged that Friendfinder used her false profile in its advertising and promotional efforts, giving rise to false advertising and false designation of origin claims under the Lanham Act. The court refused to dismiss those claims, rejecting the argument that such claims are limited to celebrities.

Judge Easterbrook Sums Up CDA Section 230 Jurisprudence: You Can't Sue the Messenger

(Well, this definitely is "47 USC 230 week.")

The messenger to which Judge Easterbrook refers is the online provider Craigslist, the case is Chicago Lawyers Committee v. Craigslist, where the plaintiff seeks to hold Craigslist liable for the discriminatory housing ads posted by its users, allegedly in violation of the federal Fair Housing Act.

Today the Seventh Circuit upheld the lower court ruling that Craigslist cannot be held liable for those discriminatory ads, under Section 230 of the Communications Decency Act. This should be no surprise to anyone who listened to the oral argument.

Judge Easterbrook authored the opinion, reiterating his prior view that Section 230 has been incorrectly interpreted by other federal courts as a broad grant of immunity, and referencing his prior opinion on that point in Doe v. GTE, 347 F.3d 655 (7th Cir. 2003).

Despite Judge Easterbrook's differences with other courts on issues of interpretation, the panel agreed that Craigslist is not liable in this case, because under any interpretation of Section 230, holding the provider liable for housing ads posted by its users would make it liable as a "speaker," a result precluded under the statute:

What §230(c)(1) says is that an online information system must not "be treated as the publisher or speaker of any information provided by" someone else. Yet only in a capacity as publisher could craigslist be liable under §3604(c). It is not the author of the ads and could not be treated as the "speaker" of the posters’ words, given §230(a)(1).
***
Using the remarkably candid postings on craigslist, the Lawyers’ Committee can identify many targets to investigate. It can dispatch testers and collect damages from any landlord or owner who engages in discrimination. See Havens Realty Corp. v. Coleman, 455 U.S. 363 (1982); Gladstone, Realtors v. Bellwood, 441 U.S. 91 (1979). It can assemble a list of names to send to the Attorney General for prosecution. But given §230(c)(1) it cannot sue the messenger just because the message reveals a third party’s plan to engage in unlawful discrimination.

It's "47 USC 230 Week" on Eric Goldman's Blog: New CDA Section 230 Immunity Cases

Prof. Eric Goldman is an aficionado of jurisprudence related to immunity under Section 230 of the Communications Decency Act. He has declared this "47 USC 230 Week" on his Technology & Marketing Law blog, in honor of four new cases on the topic. We previously blogged one of them, John Doe Anti-Terrorism Officer v. City of New York, and we highly recommend a trip to Prof. Goldman's blog for in-depth coverage of the others.

Of particular interest is Mazur v. eBay, in which Judge Patel in the Northern District of California rules that marketing representations made by the operator of a Web site about its own operations are outside the scope of Section 230 immunity.

Judge Patel cuts the analysis very finely, distinguishing between liability for eBay's failure to act on its knowledge of sellers' illegal conduct (immune), screening auction houses for inclusion in its Live Auctions (immune), liability for eBay's statements that it "carefully screens" for "reputable auctions houses" (immune, because such statements constitute opinion) and eBay's statements, e.g., that the auctions were "safe" (not immune):

The critical issue is whether eBay acted as an information content provider with respect to the information that [plaintiff] claim[s] is false or misleading."). Plaintiff seeks to hold eBay liable for misconduct with respect to eBay’s own statements regarding the safety, circumstances and caliber of its live auctions. The CDA does not immunize eBay for its own fraudulent misconduct.

***

eBay did not make assurances of accuracy or promise to remove unauthorized auctioneers. Instead, eBay promised that Live Auctions were safe. Though eBay styles safety as a screening function whereby eBay is responsible for the screening of safe auctioneers, this court is unconvinced. eBay’s statement regarding safety affects and creates an expectation regarding the procedures and manner in which the auction is conducted and consequently goes beyond traditional editorial discretion.

Immunity under Section 230 of the CDA has been repeatedly held to be extremely broad, of course, and cases probing the limits of that immunity are relatively rare. We are currently awaiting the issuance of opinions in two such cases pending in circuit courts of appeal, i.e., the Ninth Circuit opinion on rehearing en banc in Fair Housing Council v. Roommates.com, and the Seventh Circuit opinion in Chicago Lawyers' Committee v. Craigslist.

The Election That Refuses To Die: Ninth Circuit Refuses En Banc Rehearing in Vote Swapping Web Site Case

Last August, the Ninth Circuit ruled in Porter v. Bowen that Web sites that enabled "vote swapping" amongst voters in the 2000 presidential election were protected by the First Amendment. As we related in our prior blog on the case, the vote-swapping plans of the Web site organizers were abandoned when Bill Jones, then California Secretary of State, threatened the organizers of one of the vote-swapping Web sites with criminal prosecution under various California election and penal laws. Three of the vote-swapping organizers subsequently brought an action against Jones in federal court seeking declaratory and injunctive relief, and damages. The case was twice declared moot, but a panel of the Ninth Circuit disagreed and ruled favorably on the merits of the organizers' First Amendment claims.

Yesterday the Ninth Circuit refused to rehear the case en banc, over the objection of Judge Kleinfeld, joined by Judges Bea and O'Scannlain. Judge Kleinfeld's opinion dissenting from the denial of the petition for rehearing en banc presented the issue as follows:

This case is about whether the First Amendment protects from prosecution people who buy votes. Instead of cash, or beer and cigars, the buyers offered promises. The special twist, a very important one, was that the purpose of the scheme was to effectuate what amounted to people voting in states other than their own. The not very special twist is that instead of standing around the polling place to buy votes, or chartering buses to bring voters to other states, the scheme used internet sites to enable people to exchange promises. The deals were in the form, "if you promise to vote for my preferred candidate in your state, I will promise to vote for your preferred candidate in my state."

The promises of people utilizing the Web site were not mere words, the dissenting judges argued, even if they are not enforceable:

The exchange of promises is an ordinary means of making a contract, whether legal or illegal, and no one has doubted for centuries that promises form consideration for contracts. Contracts are how people buy things of value, sometimes promises to sell goods in exchange for promises to pay, promises of quantity discounts, or, as in this case, promises to vote for the other person’s preferred candidate. The panel considered it important that the vote-swaps operated "without money changing hands," but a promise is consideration whether it involves cash or not. The California statutes, like those of all the other states in this circuit, prohibit vote buying for consideration other than money, as well as for cash. Of course, the buyer of the vote may be cheated by secret nonperformance of the promise he bought, and have no legal remedy, but a promise is good consideration even if the promise is unenforceable, and even if it is "not binding or against public policy."

People who want to influence an election, the judges commented, should get off their duffs and do it the old fashioned way, not set up a vote-swapping Web site:

If people in one state want people in another state to vote a particular way, they can go there and ring doorbells, send them letters, buy advertisements on their media, publicize arguments on the internet, and otherwise explain to them why they ought to vote a particular way. But they do not have a constitutional right to buy their votes, with money or promises.

The refusal to rehear the case en banc does not finally dispose of the case, of course. There is the possibility of a petition for certiorari to the U.S. Supreme Court, although it seems unlikely that the Justices will want to revisit issues involving the 2000 presidential election.

 

Forwarding Offensive Articles Along With Additional Offensive Comments Falls Outside Protection of CDA Section 230

John Doe Anti-Terrorism Officer v. City of New York, No. 06-cv-13738 (S.D.N.Y. Feb. 6, 2008), involves the sending of offensive articles by e-mail, to which the sender allegedly added his own offensive comments.

The case involves hostile work environment claims brought by a New York City law enforcement officer assigned to a unit that identifies terrorism threats to the City. The officer is an Arab-American and a Muslim. The defendant Tefft is a counterterrorism adviser to the Department who sent periodic e-mail briefings to members of the plaintiff's unit. The plaintiff alleges that those e-mail briefings included third-party content containing statements derogatory of Muslims, and that Tefft added his own derogatory comments as well.

The opinion refers to the third-party content forwarded by Tefft in his e-mail briefings as "articles," without explanation as to whether the articles were print material gathered by Tefft and converted to electronic form, or whether they were articles in electronic form that were forwarded to Tefft by third parties. The difference between these two scenarios ordinarily is important for CDA Section 230 analysis.

Tefft moved to dismiss the complaint, claiming CDA Section 230 immunity. The District Court denied the motion, in a ruling that is less than fine-grained, so far as the analysis of the Section 230 immunity claim is concerned. In summary, the District Court ruled that Tefft's addition of his own objectionable comments to the objectionable articles brought him outside the protection of CDA Section 230:

    However, Tefft’s attempt to seek shelter under this statute for the emails he sent as an individual is misguided. The CDA provision he cites was intended to protect interactive computer service providers and websites that host third-party content on their servers or sites. See Blumenthal v. Drudge, 992 F. Supp. 44, 49-53 (D. D.C. 1998). Tefft’s argument that his emails were akin to a blog, website, or listserv because he forwarded third-party content that he found relevant or interesting also fails. When Tefft attached his own commentary to his listserv, he ceased to be a passive host of third-party information. See id. at 50 ("Section 230(c)(1) would not immunize [defendants] with respect to any information [they] developed or created entirely by [themselves]."). For example, the plaintiff alleges that Tefft forwarded an article entitled "Is the Arabic Language ‘Perfect’ or ‘Backwards’?" With it, Tefft added: "the language may not be backwards but the people speaking it are." Compl. ¶ 53(l). When Tefft added his own allegedly tortious speech to the third-party content he forwarded, he fell out of the statute’s protections. See id.

    Tefft’s argument also fails because the statute is clearly not meant to immunize his conduct from liability. The portion of the statute that includes "users[s] of interactive computer services" cannot be interpreted to apply to Tefft’s conduct. Doing so would exempt virtually all Internet use from liability, expanding the statute’s reach beyond that which Congress intended. See Zeran v. America Online, Inc., 129 F.3d 327, 330-31 (4th Cir. 1997)(noting that Congress intended the statute to confer immunity on service providers that act as publishers and host third-party content, while maintaining the ability "to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer"). Thus, the CDA does not compel this Court to dismiss Plaintiff’s claims.

The court's end result is correct, because CDA Section 230 wasn't intended to immunize parties from liability for their own statements. But some of the court's analysis in reaching that result bears comment.

To the extent that the ruling suggests that Section 230 immunity is limited to situations involving the hosting of content on servers and Web sites, it is incorrect. Claims of immunity under Section 230 of the Communications Decency Act most often are raised in situations involving Web site postings, but they can be raised in situations involving other Internet communications media. A notable example in that regard is Batzel v. Smith , 333 F.3d 1018 (9th Cir. 2003), where the operator of an e-mail newsletter asserted CDA immunity for statements made in an e-mail authored by a third party and included in the e-mail newsletter. See also Delfino v. Agilent, 52 Cal.Rptr. 3d 376 (Cal. Ct. App., 6th Dist. 2006) (employer immune under Section 230 for e-mails sent by employee).

The District Court also failed to treat the issue of whether the articles forwarded by Tefft constituted information "provided by another information content provider." The discussion in Batzel v. Smith on this point is informative, and illustrates why the source of the articles in John Doe Anti-Terrorism Officer v. City of New York (i.e., whether they were "provided" to Tefft by "another information content provider" or whether he simply collected them and copied them himself for forwarding) is an important fact:

    Critically, however, § 230 limits immunity to information "provided by another information content provider." § 230(c)(1). An "information content provider" is defined by the statute to mean "any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service." § 230(f)(3). The reference to "another information content provider" (emphasis added) distinguishes the circumstance in which the interactive computer service itself meets the definition of "information content provider" with respect to the information in question.

    ***
    The structure and purpose of § 230(c)(1) indicate that the immunity applies only with regard to third-party information provided for use on the Internet or another interactive computer service. As we have seen, the section is concerned with providing special immunity for individuals who would otherwise be publishers or speakers, because of Congress’s concern with assuring a free market in ideas and information on the Internet. If information is provided to those individuals in a capacity unrelated to their function as a provider or user of interactive computer services, then there is no reason to protect them with the special statutory immunity. So, if, for example, an individual who happens to operate a website receives a defamatory "snail mail" letter from an old friend, the website operator cannot be said to have been "provided" the information in his capacity as a website service.[] Section 230(c)(1) supplies immunity for only individuals or entities acting as "provider[s]" or "user[s]" of an "interactive computer service," and therefore does not apply when it is not "provided" to such persons in their roles as providers or users.

Batzel v. Smith, slip op. at 8450 & 8453.

Sixth Circuit Rules That Informational Privacy Interest Is Not of Constitutional Dimension

In Lambert v. Hartman, No. 07-3154, 2008 U.S. App. LEXIS 4019 (6^th Cir. Feb. 25, 2008), the Sixth Circuit has ruled that an identity theft victim’s federal civil rights claim under 42 U.S.C. §1983 against a state agency that posted her social security number and other personal information on a public Web site is not cognizable because the victim’s rights to informational privacy does not implicate fundamental constitutional rights. The information was contained in a traffic citation issued to the victim that was posted by on the site by a county clerk.

The appeals court affirmed the lower court’s dismissal of the plaintiff’s action, ruling that the release of the plaintiff’s personal information did not implicate a fundamental right.

The court concluded that Sixth Circuit precedent recognizes an informational-privacy interest of constitutional dimension only in cases where the release of personal information could lead to bodily harm or personal humiliation, and not where the plaintiff has asserted a risk of financial harm. The court rejected the plaintiff’s argument that the state’s actions implicated a fundamental liberty interest and declined to create a new fundamental right, holding that the court’s precedents “are not amenable to the recognition of a constitutional right to privacy based on the infringement of a property interest.” In expressing its reticence to recognize such a right, the court commented: 

Lambert has undoubtedly shown that, as a policy matter, the Clerk’s decision to provide unfettered internet access to people’s Social Security numbers was unwise. This much is evidenced by the fact that the Defendants have subsequently removed the citations in question from the website and changed the local rules to better protect sensitive personal information. But to constitutionalize a harm of the type Lambert has suffered would be to open a Pandora’s box of claims under 42 U.S.C. § 1983, a step that we are unwilling to take. See Paul v. Davis, 424 U.S. 693, 699 (1976) (rejecting a § 1983 claim against police officials who included the plaintiff’s name and mug shot on a flyer warning local merchants about possible shoplifters, and explaining that the plaintiff’s legal argument “would seem almost necessarily to result in every legally cognizable injury which may have been inflicted by a state official acting under ‘color of law’ establishing a violation of the Fourteenth Amendment”). Indeed, absent a showing of an infringement of a right that is “fundamental or implicit in the concept of ordered liberty,” this court’s precedents bar an action under 42 U.S.C. § 1983 from proceeding any further. Lambert has simply failed to make such a showing.