Header graphic for print

Privacy Law Blog

Courts Address the Level of Security Banks Must Provide to Business Accounts

Posted in Cyber Security

Big or small, all bank accounts are susceptible to hijacking and fraudulent wire transfers. Banks ordinarily bear the risk of loss for unauthorized wire transfers. Two independent frameworks exist to govern these transfers: the Electronic Fund Transfer Act (“EFTA”) for consumer accounts, and Article 4A of the Uniform Commercial Code (“UCC”) for business accounts.

While the EFTA will ordinarily shield consumers from having to pay for most unauthorized charges as long as they provide notice to their bank, UCC §4A-202 shifts the risk of loss to the customer if the bank can show that (1) a commercially reasonable security procedure was in place and (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction.

The commercial reasonability of a security procedure is a question of law, and courts will consider several factors, including:

  • Customer instructions expressed to the bank
  • The bank’s understanding of the customer’s situation, including the size, type, and frequency of payment orders ordinarily issued
  • Alternative security procedures offered to the customer
  • Security procedures in general use by similarly situated banks and customers.

In addition, a security procedure will be found commercially reasonable if the customer selected it after refusing a security procedure that was commercially reasonable for the customer’s needs.

Continue Reading

What Preemption? Connecticut State Court Gives Life to Negligence Claims Based on HIPAA Privacy Standard of Care

Posted in HIPAA

Like many federal statutes, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains a provision governing how the statute is designed to interact with similar or otherwise related state laws.  When this type of provision is used to override or supplant similar state laws, the provision is called “preemptive.”  On November 11, 2014, the Connecticut Supreme Court held in Byrne v. Avery Center For Obstetrics and Gynecology, P.C. that state law negligence claims are not preempted by HIPAA even where the plaintiff relies on HIPAA to establish the applicable standard of care.  In so holding, the Court Continue Reading

Native Advertisers Face Closer Scrutiny From Industry Self-Regulatory Bodies

Posted in Behavioral Marketing, Online Privacy

With paywalls and premium subscriptions finding only modest success, paid advertisements remain the primary means of generating revenue from online content. Native advertising has emerged as a leader in the competition for ad impressions and brand engagement. Expected to grow from $7.9 billion in spending this year to $21 billion by 2018, native advertising is lauded as the future of online advertising. Continue Reading

From the Right to be Forgotten to the Right to an “e-Reputation’’: First Enforceability Ordered by French Court under Penalty

Posted in Data Privacy Laws, International, Online Privacy, Privacy Litigation

A few months after the European Court of Justice ruled on May 13, 2014 that search engines are considered personal data controllers under the EU Data Protection Directive of 1995 and, as such, should provide data subjects with a right to be forgotten, a French Tribunal enforced this principle in X & Y v. Google France.

In a summary proceeding on September 16, 2014, the Paris Tribunal (Tribunal de Grande Instance) held that Google must erase from its search engine, under penalty of €1,000 per day, all links leading to defamatory content published on Facebook (see attached judgement: TGI Paris – Ordonnance du 16 septembre 2014). Continue Reading

A Primer on EMV Technology for Merchants

Posted in Miscellaneous

With the new year just around the corner, retailers should make a resolution to learn more about EMV technology.  That’s because 2015 is slated to be the year EMV technology makes significant inroads in the United States, and retailers need to be prepared.  In this post, we answer some frequently asked questions about what the introduction of this new standard means for retailers and the steps they must take in order to prepare for the widespread adoption of this new technology. Continue Reading

Attention Retailers: Target Data Breach Ruling Finds Duty Owed to Issuer Banks

Posted in Data Breaches

The Court hearing the Target data security breach litigation issued a ruling on December 2, 2014, largely denying Target’s motion to dismiss the Consolidated Amended Class Action Complaint in the Financial Institutions Cases.  In his decision, Judge Magnuson found that Target owed the issuer banks a duty to protect customer data from hackers, a determination that was based on allegations that Target played a “key role” in allowing the break-in to occur by intentionally disabling one of the security features that would have prevented the harm.  Decision at 5.  At issue in the case is whether Target should be held responsible for the costs incurred by the issuer banks as a result of fraudulent charges and to replace customers’ credit and debit cards.

The importance of the decision is that it provides banks with a legal basis to seek to hold merchants financially responsible for the costs of data breaches if the facts suggest the merchants’ data security systems were deficient.

Of course, this is just the first round in the litigation and the banks will still need to prove their case before imposing liability on Target.  That said, this decision is surely a sign of things to come and we will continue to mind the store and report on developments.

European DPA’s Give Privacy Recommendations to Stakeholders Regarding the “Internet of Things”

Posted in Data Privacy Laws

The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf ) on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it is considered personal data because it may enable the life pattern of a specific individual to be discerned. After identifying the major privacy issues raised by such devices, the Article 29 Working Party made a series of recommendations to IoT stakeholders. Continue Reading

Advertising Industry Enforces Enhanced Behavioral Advertising Notice Requirements on Websites

Posted in Behavioral Marketing

On October 28, the Online Interest-Based Advertising Accountability Program (Accountability Program), released five decisions in which the website operators  have agreed to update their respective websites to provide enhanced notice as required under the Self-Regulatory Principles for Online Behavioral Advertising (OBA Principles).  The Accountability Program enforces the OBA Principles on behalf of the Digital Advertising Alliance and these decisions stem from a compliance warning issued by the Accountability Program in October 2013.

The 2013 compliance warning explained the responsibility of website operators to (i) provide enhanced notice on every page where they permit third parties to collect information for interest-based advertising or when they themselves transfer such data to unrelated third parties, (ii) link that real-time notice to their explanation of their third party interest-based advertising practices (which disclosure must either link to an industry-developed consumer choice page or list every third party conducting OBA activity on the website) and (iii) signal their adherence to the OBA Principles. The recent decisions confirmed the responsibilities set forth in the compliance warning and further illustrated how compliant implementation of enhanced notice can be achieved. The decisions noted that enhanced notice links must appear on every page where a third party is collecting information for interest-based advertising, be separate from the link to the website’s privacy policy and should go directly to the place in the privacy policy where the disclosure is located (not just generally to the privacy policy) or to another location on the website where that explanation is provided.

These decisions serve as a reminder to website publishers that they cannot pass all responsibility for compliance with the OBA Principles on to advertisers and that they should periodically review their privacy disclosures for compliance with applicable industry guidelines.  As noted by Accountability Program Director Genie Barton, these cases are “only the beginning of [their] enforcement of website notice and choice.”

FCC Confirms Solicited Fax Ads Must Include an Opt-Out

Posted in Direct Marketing, TCPA

Last Thursday the Federal Communications Commission (FCC) issued an order confirming that companies must include opt-out instructions on all fax ads, even for recipients who previously agreed to receive a fax from the company. The order clarifies that solicited fax ads, like unsolicited ads, must also comply with the rules set forth in the FCC’s 2006 Junk Fax Prevention Order.  All fax ads must contain an opt-out notice that (1) is clear and conspicuous and on the first page of the ad, (2) states that the recipient may make a request to the sender not to send any future ads, and (3) contains a domestic phone and fax number so that the recipient has a contact for opt-out purposes. Continue Reading

FCC: The New Data Security Sheriff In Town

Posted in Cyber Security, Data Breaches, Data Privacy Laws, Security Breach Notification Laws

Data security seems to make headlines nearly every week, but last Friday, a new player entered the ring.  The Federal Communications Commission (“FCC”) took its first foray into the regulation of data security, an area that has been dominated by the Federal Trade Commission.  In its 3-2 vote, the FCC did not tread lightly – it assessed a $10 million fine on two telecommunications companies for failing to adequately safeguard customers’ personal information. 

Continue Reading

New Jersey bill to prohibit unsolicited text message advertisements pending Governor signature

Posted in Mobile Privacy, TCPA, Uncategorized

A New Jersey bill which prohibits unwanted text message advertisements has been sent to the Governor for final consideration.   A. 617, which passed unanimously in the Assembly June 26 and in the Senate Sept. 22, if signed into law, would make it illegal to send a text message advertisement to a New Jersey resident if it caused the recipient to incur a telecommunications charge or a usage allocation deduction. Sponsors of the bill noted an increasing number of complaints from consumers regarding unsolicited text messages advertising goods and services. The bill would also bar text message advertisements without prior express authorization from the recipient that includes the number to which the text message may be sent. The bill provides for an exception in the event an advertiser could demonstrate that the unsolicited text message advertisement was an isolated message sent no more than once in a 12-month period. In addition, the bill requires telecommunications companies that sell text messaging services to offer an option allowing customers to block all incoming and outgoing text messages. According to the sponsors’ statement, violations would be subject to a maximum penalty of $10,000 for a first offense and $20,000 for a subsequent offense.

The New Jersey bill is following closely behind a similar Connecticut law passed in early July. The Connecticut legislation amended the state’s existing telemarketing law to cover unsolicited marketing text and media messages as well as phone calls. The amended law prohibits, among other things, sending unsolicited marketing text messages and unsolicited marketing “media messages” without first obtaining prior express written consent (as defined by the FCC’s Rules for Telephone Consumer Protection Act). As revised, the Connecticut law provides for a maximum fine of $20,000 per unsolicited message and a violation of the law constitutes a violation of the Connecticut Unfair Trade Practices Act, which provides for a private right of action.

In addition, California, Rhode Island and Washington all have laws on the books that regulate the ability of companies to send text message advertisements.

On the Federal level, the Telephone Consumer Protection Act also requires prior express written consent when auto-dial technology is used to send promotional messages. Since the various laws applicable to text messages have different scopes of application and consent definitions, companies should continue to monitor text message requirements nationwide and ensure their marketing programs are in line with the law.

California Updates State Breach Notification Law, Expands Security Procedures to Entities that “Maintain” Personal Information

Posted in California, Data Breaches, Identity Theft, Security Breach Notification Laws

On September 30, 2014, California took further steps to protect the personal information of its residents by amending several sections of its breach notification and information security laws (Cal. Civ. Code §§ 1798.81.5, 1798.82 and 1798.85).  The amended law, which is effective January 1, 2015, updates existing law in three significant ways:

  1. Under current law, businesses that own or license personal information about a California resident must implement reasonable security procedures and practices appropriate to the nature of the information.  This requirement is expanded to also include entities that merely “maintain” such personal information. 
  2. Under current law, businesses that own or license personal information may be required to issue a security breach notification to affected individuals in the event of a breach where an individual’s social security number or driver’s license number may have been exposed.  The amended law provides that if the entity providing the notification was the source of the breach, an offer to provide identity theft prevention or mitigation services, if any, must be made at no cost to the affected person for at least 12 months, along with all information necessary to take advantage of the offer.  The breach notification requirement does not apply to entities that merely “maintain” personal information.  Given the words “if any,” and the ambiguity as to whether those words refer to the availability of credit monitoring services in the marketplace or to whether the business has chosen to offer it, it is not clear from the law whether this constitutes an absolute requirement to offer credit monitoring services to affected individuals.  That said, we note that the bill’s co-author, Assemblyman Roger Dickinson, stated his view in a recent interview with Law360 that the offer to provide credit monitoring services is mandatory when a driver’s license number or social security number was breached.
  3. Under current law, a business may not publicly disclose an individual’s social security number or engage in other acts that might compromise its security.  The amended law clarifies that except as permitted by law, a person or entity may not sell, advertise for sale, or offer to sell an individual’s social security number.

For purposes of #1 above, the amended law defines the term “maintain” to include personal information that a business maintains but does not own or license.  This appears to include entities that host or otherwise retain data for others, such as “cloud” storage companies and businesses that collect information but do not own or license it.  These entities will need to implement and maintain reasonable security procedures and practices to the extent that the data it collects contains personal information.  That said, the law provides that such security procedures and practices are scalable; they should be “appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”