Sign Up
Stay current with GH&R Newsletters. Click here to sign up.
E-Commerce News
FEDERAL PRIVACY LEGISLATION IS ON ITS WAY; WEB SITE TERMS NOT INCORPORATED IN CONTRACT
August 1, 2006
FEDERAL PRIVACY LEGISLATION IS ON ITS WAY
Recently, the House Energy and Commerce Committee unanimously approved The Data Accountability and Trust Act (DATA). The legislation is designed to safeguard personal data and prevent identity theft. It would require companies to implement data security programs and to notify consumers when their personal information has been compromised in a security breach.
One controversy surrounding the bill concerned when consumers would need to be notified. The committee adopted language that would require notification when there is a "reasonable", rather than a "significant", risk of identity theft, fraud, or other unlawful conduct.
Also under the bill, consumers could correct or dispute the accuracy of records maintained by data brokers, and data brokers would need to establish "reasonable procedures" to verify information they collect. Data brokers would also be required to regularly monitor security systems for breaches. But the bill provides that the definition of data brokers includes only entities that sell information to "nonaffiliated" third parties. This definition is designed to ensure that mailing lists are not inadvertently affected by the law.
The bill would require the Federal Trade Commission to notify the Secretary of Health and Human Services when a data breach includes "individually identifiable" health information. In addition, the FTC would be granted the authority to deem in compliance with the act those companies already meeting the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or the Health Insurance Portability and Accountability Act requirements.
The bill also contains language:
- prohibiting data brokers from obtaining information on someone by impersonating that person, a practice known as "pretexting";
- requiring a telecommunications carrier, cable operator, or other information transmitter that becomes aware of a security breach to report it;
- exempting from notification requirements data protected by encryption or other approved methods or technology;
- allowing the FTC to recognize future methods or technologies to safeguard data, not just existing encryption capabilities;
- requiring the FTC to study the maintenance of obsolete paper records containing personal information; and
- authorizing the FTC to adopt rules to address any shortcomings in existing law.
The bill, which would preempt state laws, would give enforcement power to state attorneys general, as well as to the FTC.
There's no certainty as to when, if ever, the bill will actually become law. There is a data security measure currently pending in the House Financial Services Committee, and the two bills will need to be reconciled. In addition, the Senate will need to weigh in as well. The issue privacy is of such concern though, that it is virtually certain that Congress will pass some kind of legislation. We'll keep you posted.
A company's terms and conditions set forth on its Web site, and vaguely referenced in a contract, are not incorporated into the contract, according to a recent ruling by a Florida appellate court.
Consolidated Credit Counseling Services Inc. entered a contract with Affinity Internet Inc., d/b/a SkyNetWEB, in which Affinity promised to provide computer and Web hosting services to Consolidated. The written contract stated, "This contract is subject to all of SkyNetWEB's terms, conditions, user and acceptable use policies located at http://www.skynetweb.com/company/legal/legal.php."
The Web site terms and conditions, at Paragraph 17, stated that any controversy or claim arising out of the agreement would be subject to arbitration.
Apparently, things did not go very smoothly and Consolidated sued, alleging breach of contract, unjust enrichment, fraud in the inducement, and violation of Florida's Deceptive and Unfair Trade Practices Act. In response, Affinity, relying on the Web site terms, moved to compel arbitration.
Consolidated countered that the contract did not contain an arbitration clause, and that the collateral documents that Affinity cited were not a part of the contract.
The court agreed with Consolidated. According to the court, the issue was "whether a written agreement to arbitrate exists at all." The court felt that a mere reference to another document was not sufficient to incorporate that other document into the contract. The court also considered it significant that the Web terms were not attached to the contract, and that Consolidated never received a copy of the collateral document or the information contained therein. In order to effectively incorporate a collateral document, according to the court, "the contract must not only expressly refer to the document, but it must also sufficiently describe the document."
Affinity didn't help its own cause either. Apparently, the Web site for the user agreement, which was listed in the contract, was different from the Web site given by Affinity's representative in her affidavit. This confusion didn't do much for the court, which wrote, "Under these circumstances, Consolidated could not be obligated to arbitrate."
The rule here is pretty clear. In drafting and negotiating contracts, don't rely on the hidden ball trick. If you want terms incorporated, better to be explicit than implicit.
This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.