A new advertising icon was released last week by a privacy advocacy group in conjunction with a group of advertisers and agencies as part of an effort to educate consumers about behavioral advertising and head off federal regulation.
Continue Reading...This past week, the Ponemon Institute announced their publication of the results of their fifth annual study on the costs of data breaches for U.S.-based companies. The study was sponsored by the PGP Corporation. A similar report for U.K.-based companies was also released. This year's report, entitled 2009 Annual Study: Cost of a Data Breach, displays the results of the Ponemon Institute's research of data breach incidents occurring in 2009.
Overall, as with previous years, the study found that U.S. organizations continue to experience increased costs associated with the data breaches they experience.
Continue Reading...The U.S. District Court for the Northern District of Illinois recently ruled that a plaintiff may maintain a suit for receiving an unsolicited Short Message Service (“SMS”) text message under the Telephone Consumer Protection Act (TCPA) of 1991, even though the plaintiff was not actually charged for receiving the message. In Abbas v. Selling Source, LLC, No. 09-CV-3413 (N.D. Ill. Dec. 14, 2009), Judge Joan B. Gottschall noted that in enacting the TCPA, “Congress was just as concerned with consumers’ privacy rights and the nuisances of telemarketing” as it was with cost-shifting of communications addressed by the TCPA. Judge Gottschall continued to state that “[a]utomated calls invade privacy and pose nuisances regardless of whether the called party is charged for the call, and so congressional intent is furthered by the TCPA’s application to both charged and uncharged calls.”
Continue Reading...The implementation of codes of conduct and whistleblowing systems is expanding at the international level. Global companies must pay attention to local law requirements when rolling out these codes in foreign countries, in order notably to comply with the rules and regulations provided by the local data protection authorities to govern data processing.
A recent decision rendered on December 8, 2009, by the French Supreme Court provides a good illustration of issues that may be raised by local laws in the implementation of whistleblowing procedures abroad.
For the first time the French Supreme Court addressed the issue of the validity of a Code of Conducts that had been implemented by a listed company (Dassault Systèmes, a French Software company) in order to comply with the Sarbanes Oxley act.
By its decision, The French Supreme Court overruled the decision of the Court of Appeal, which had declared the whistleblowing system implemented by the Code of Conduct of Dassault Systèmes compliant with the French data protection authority (CNIL) and therefore legal.
In a landmark decision rendered in 2005, the CNIL considered that the broad and anonymous whistleblowing procedures of several companies, including the McDonald’s Company, that had been adopted in order to implement the requirements of the Sarbanes-Oxley Act, were contrary to French law and in particular to the French data protection law of January 6, 1978. The CNIL held that it had no fundamental objection to that kind of system, but it expressed the opinion that whistleblowing processes should not be transformed into an organized system of professional denouncement which may jeopardize the employees’ individual rights.
In order to reach a compromise between SOX requirements and French law provisions, the CNIL issued a Deliberation on December 8, 2005. The Deliberation states that the companies are authorized to roll out their whistleblowing systems provided they formally disclose the existence of the system and they comply with the requirements of the CNIL’s Deliberation. In particular, article 1 of the Deliberation provides that only the whistleblowing systems implemented in response to French legislative or regulatory internal control requirements or the whistleblowing requirements of the Sarbanes-Oxley Act in areas such as finance, accounting, banking and anti-bribery, may be covered by this Deliberation. Article 3 of the Deliberation provides that facts which are not included in these cores areas may be covered by the whistleblowing system if the vital interest of the company or the physical or mental integrity of its members is threatened.
If the scope of the whistleblowing process exceeds the CNIL’s Deliberation, the company is under the obligation to enter into a heavy process with the CNIL consisting in detailing the information collected, their recipients, the end-purpose of the data processing… and to get formal authorization of the CNIL. So far, the CNIL has never given its authorization when the scope of the whistleblowing system exceeds its Deliberation.
In the case at hand, Dassault had implemented a whistleblowing system under the Deliberation and a trade union challenged the validity of the system on the ground that the company should have sought a formal authorization from the CNIL because its scope exceeded the auditing and financial matters.
The Supreme Court ruled that the scope of the Code of conduct was too broad in that employees may report any breach of the Code relating to finance, accounting and anti- corruption areas but also any breach in others matters to the extent that it could threaten the vital interests of Dassault or the physical or moral integrity of an individual employee (intellectual property rights, confidentiality, conflict of interest, discrimination, sexual or psychological harassment).
The Court adopted a very narrow reading of the CNIL Deliberation because it came to the conclusion that the whistleblowing system could not be introduced under the Deliberation for a purpose other than those mentioned under the article 1 of the CNIL Deliberation.
In other words the whistleblowing system that would cover other breaches of the Code of Conduct should be authorized specifically by the CNIL on a case by case basis. Even though these breaches are material and may threaten the vital interest of the company or the physical or mental integrity of its members.
Last but not least the Supreme Court also found that Dassault’s Code of Business Conduct did not expressly mention that the individuals had a right of access to the information reported, and a right of rectification where the information is not correct.
As from a practical point of view, there is a strong likelihood that the CNIL refuses to grant an authorization for a whistleblowing system exceeding the scope of the CNIL’s Deliberation, it seems that now companies should restrict their whistleblowing systems to the core areas mentioned in the CNIL’s decision of December 8, 2005 to avoid their process be considered as invalid.
On January 5, 2010, Judge William Hibbler of the U.S. District Court for the Northern District of Illinois became the latest federal district judge to share his views about whether an increased risk of future harm based on the inadvertent exposure of personal information is a legally cognizable harm. In Rowe v. UniCare Life & Health Insurance Co., No. 1:09-cv-2286 (N.D. Ill. Jan. 5, 2010), Judge Hibbler denied the defendant’s motion to dismiss for failure to state a claim because, in his view, after drawing all reasonable inferences in the plaintiff’s favor, the plaintiff’s complaint satisfied the minimal pleading standard required to survive a motion to dismiss. Nevertheless, in his written opinion, Judge Hibbler hinted that the plaintiff’s claims for violations of the Fair Credit Reporting Act (“FCRA”) and the Illinois Insurance Information and Privacy Act, as well as his common law claims of invasion of privacy, negligence and breach of implied contract, may ultimately be dismissed if the plaintiff failed to show a basis for damages other than his alleged increased risk of future harm, such as identity theft.
Continue Reading...We have written several times about courts (and Congress) helping to define the scope and applicability of certain provisions of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act. One provision that has been frequently litigated, 15 U.S.C. § 1681c(g), involves FACTA’s so-called truncation requirements for printed transaction receipts. On December 2, 2009, in Shlahtichman v. 1-800 Contacts, Inc., 2009 U.S. Dist. LEXIS 112379 (N.D. Ill. Dec. 2, 2009), Judge John W. Darrah of the Northern District of Illinois Eastern Division held that FACTA’s prohibition against the electronic printing of a debit or credit card’s expiration date on receipts was inapplicable to e-mail order confirmations (decision available here).
Continue Reading...On January 5, 2010, the EU Article 29 Data Protection Working Party published an opinion finding that Israel provides an "adequate" level of data protection under the EU Data Protection Directive. Should the European Commission ("EC") adopt the Article 29 Working Party’s recommendation (and there is no reason to think that it would not), Israel will join the ranks of the select few countries that the EU has deemed to have an "adequate" level of data protection, such as Argentina, Canada, and Switzerland (notably, the United States is not on this list).
Continue Reading...On December 17, 2009, a class action suit was filed against online movie rental giant, Netflix, Inc., in the United States District Court for the Northern District of California. Plaintiffs in the suit are claiming that Netflix has “perpetrated the largest voluntary privacy breach to date.”
Continue Reading...The blogosphere has been abuzz lately about Facebook’s new privacy settings, but lost amid all the noise is Facebook’s implementation of a new user-friendly privacy policy.
Continue Reading...On December 7, 2009, a federal district court sitting in New Jersey dismissed a securities fraud class action lawsuit against Heartland Payment Systems arising from a massive breach of credit and debit card information and, in doing so, reinforced the difficulties private plaintiffs face in bringing data breach lawsuits under the federal securities laws.
Continue Reading...
Kristen J. Mathews is head of the Privacy and Data Security Group and a member of the Technology, Media and Communications Group. Kri...More...
Jeff Neuburger is a partner in the New York office and Co-Chair of the Technology, Media and Communications Practice Group at Proskau...More...
Scott J. Carpenter is an associate in the Litigation and Dispute Resolution Department of Proskauer Rose LLP’s Washington, DC office....More...
Amy Crafts is an associate in the Litigation Department, and focuses on commercial litigation, including intellectual property, anti-...More...
Sara Krauss practices with the Health Care Department at Proskauer Rose LLP. She has represented not-for-profit hospitals, physician...More...
Cécile Martin is an associate in the Labor and Employment Law Department in the Paris office of the Firm. She has experience in all e...More...
Jeremy Mittman is an associate in the Los Angeles office of Proskauer Rose LLP. Prior to joining the Los Angeles office in October 20...More...
Natalie Newman is an associate in Proskauer Rose LLP’s Corporate Department and is a member of the Intellectual Property and Privacy...More...
Jennifer Roche is an associate in the Litigation and Dispute Resolution Department and resident in the Los Angeles office of Proskaue...More...
S. Montaye Sigmon is an associate in the Litigation and Dispute Resolution Department of Proskauer’s Los Angeles Office. Montaye hand...More...
Brendon Tavelli is an associate in the Litigation and Dispute Resolution Department and a member of the firm’s Privacy and Data Secur...More...
Robert D. Forbes is an Associate in the Litigation & Dispute Resolution Department in the Los Angeles office. He has experience in a...More...