EC Proposal For New Data Protection Regulation

The European Commission (the “EC”) has announced its anticipated comprehensive reform of EU data protection rules, intended to strengthen online privacy rights and boost Europe's digital economy. The proposal is intended to update and modernize the principles enshrined in the 1995 Data Protection Directive. If approved, unlike the current rules which give each of the 27 member states of the EU (the “member states”) some flexibility as to how the 1995 Data Protection Directive is implemented in their jurisdiction, the new law would apply directly so that there would be an entirely uniform set of data protection standards across the EU.

Key changes include...

Continue Reading...

Massachusetts Data Security Regulations: Deadline To Update Service Provider Contracts Is Fast Approaching

The deadline for compliance with a key requirement of the Massachusetts Data Security Regulations is only a month away. By March 1, 2012, contracts must require that certain service providers implement and maintain appropriate security measures to protect personal information. This alert summarizes the requirements that will become effective as of March 1, 2012.

Read the entire article.

Light, (Camera), Class Action! After Seven Years of Dormancy Since Inception, Businesses See Class Action Lawsuits for Alleged Violations of California's "Shine the Light" Act

The past month has seen a new pattern of class action lawsuits filed in California courts against businesses for allegedly violating California’s Shine the Light privacy law (the “Act”). For seven years since the Act became effective, well-intentioned businesses have understandably had the sense that their compliance approach has been sound, and we have seen no challenges to that notion. Recent class actions have alleged non-compliance on technical grounds as frivolous as the title of the privacy policy being “Privacy Policy” instead of “Your Privacy Rights.” Why should that cost a business $500 - $3,000 per California customer? We would have to ask the plaintiffs’ lawyer that question.

Continue Reading...

Massachusetts Federal Judge Says ZIP Code is Definitely Maybe "Personal Identification Information" . . . Implores Parties to Seek State Court Certification.

In an extension of the spate of litigation surrounding California’s Song-Beverly Credit Card Act and other laws like it, the U.S. District Court for the District of Massachusetts in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012), followed the California Supreme Court’s lead (see our blog post here) in ruling that ZIP codes are “personal identification information” within the meaning of Mass. Gen. Laws, ch. 93, § 105(a). The court refused to apply the California Supreme Court’s reasoning that the term “address” in § 105(a)’s definition of PII encompassed individual components of an address, and instead relied on a shaky analogy to PIN code to conclude that “a ZIP code can indeed be PII under section 105(a).” Id. at 12. The court nonetheless dismissed the plaintiff’s putative class action because she failed to allege any legally cognizable harm as a result of Michaels’ collection of her ZIP code in connection with a credit card transaction. The decision is a strange one for a variety of reasons, not the least of which is the court’s insistence on setting the stage of a David vs. Goliath type showdown at the outset of its opinion only to bounce the “little guy” right out of the arena, but here goes …

Continue Reading...

Who Do You Trust? Proposed Cybersecurity Bill Would Encourage Public-Private Cyber Threat Information Exchange by Providing Legal Immunity

“Who Do You Trust” was a 1950’s game show that required players to decide whether they could rely upon the information provided by their partners to win cash prizes of $25, $50 and $75. In today’s increasingly networked environment, there’s a lot more at risk in trusting another’s information about cybersecurity. Corporations and industries complain that they can’t trust the timeliness and accuracy of government information about cybersecurity. And cybersecurity experts point to distrust over the motives of the government and competitors as a bar to information sharing among private entities. But despite that, everyone agrees that information sharing would inure to the general benefit of all involved.

Rep. Daniel Lungren of California,Chair of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Committee on Homeland Security, is aiming at impediments to cybersecurity data sharing in a bill introduced on Dec. 15, 2011. S. 3674, the ‘‘Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011’’ or the “PRECISE Act of 2011,” contains, among other things, a provision that would encourage corporate and industry participation in government sponsored cybersecurity programs by including legal exemptions and protections for private entity information-sharing.  A copy of the bill as introduced is available here.

Continue Reading...

Michaels Stores Still PINned beneath Payment Card Skimming Lawsuit

In May 2011, Michaels Stores reported that “skimmers” using modified PIN pad devices in eighty Michaels stores across twenty states had gained unauthorized access to customers’ debit and credit card information. Not a pretty picture for Michaels. Lawsuits soon splattered on the specialty arts and crafts retailer, alleging a gallery of claims under the Stored Communications Act (“SCA”), the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and for negligence, negligence per se, and breach of implied contract.

Late last month, U.S. District Court Judge Charles Kocoras ruled on Michaels’s motion to dismiss. Some claims were dismissed, but others survived. The opinion presents a broad-brush survey of potential data security breach claims, with some fine detail and local color particular to this variety of criminal data security breach.

Continue Reading...

Do I really have to obtain consent from all my customers to make a change to my privacy policy?

"Do I really have to obtain consent from all my customers to make a change to my privacy policy?  No one else seems to be following that rule."

We get this question all the time.  It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent of their users.  (In other words, they add a new offering to their service that expands their use or sharing of consumer data, and they default their users into the new offering.) Sometimes they back off temporarily when faced with media backlash or Congressional or regulatory scrutiny, but the pattern nonetheless persists in the long term.  Sometimes we scratch our heads in wonder, since the FTC has taken the position in countless actions for over a decade that if you make a material, adverse, retroactive change to your privacy policy, you need to obtain consent from consumers to apply your new policy to the data you collected under your old policy.

Continue Reading...

Facebook Accedes to the FTC's Poke, Settles FTC's Charges

Facebook recently agreed to settle charges by the Federal Trade Commission (FTC) that Facebook violated the FTC Act. The FTC-Facebook settlement, which is still subject to final FTC approval, prohibits Facebook from making misrepresentations about the privacy or security of its users’ personal information, requires Facebook to obtain users’ affirmative consent before enacting changes that override the users’ privacy preferences, and requires Facebook to prevent anyone from accessing material posted by a user more than 30 days after such user deleted his or her account. Similar to the March 2011 FTC-Google settlement, the Facebook settlement requires that Facebook enact a comprehensive privacy program and not misrepresent its compliance with the US-EU Safe Harbor Principles. As we previously reported, these two requirements are relatively new FTC settlement terms, which were first used in March 2011.

Continue Reading...

HIPAA Privacy and Security Audit Pilot Program Takes Flight

On November 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced details of its HIPAA Privacy and Security Audit Program pursuant to the American Recovery and Reinvestment Act of 2009, Section 13411 of the HITECH Act. The OCR pilot program calls for approximately 150 audits of covered entities, to commence in November 2011 and expected to conclude by December 2012. The audits are intended to address privacy and security compliance, and assist OCR in assessing and identifying best practices as well as risks and vulnerabilities for health care entities.

Continue Reading...

News "Flash" - FTC Settlement Over Use of Flash Cookies Highlights FTC Focus on Consumer Notice and Choice

The Federal Trade Commission has announced a settlement agreement with ScanScout, Inc., an online advertising network alleged to have made misleading statements in its privacy policy which omitted to disclose ScanScout’s use of Flash cookies. The settlement terms require ScanScout to implement various conspicuous (i.e., not hidden in the privacy policy) notices regarding behavioral tracking and opt-out mechanisms that are reflective of recent FTC guidance and developing industry standards. Companies engaging in behavioral tracking (using Flash cookies or otherwise) may look to the terms of this settlement agreement for color on what the FTC wants to see in terms of consumer notices and choices.

Continue Reading...

Anderson v. Hannaford: Plaintiff Customers May Recover Mitigation Costs Of Data Breach

Plaintiff customers in litigation stemming from Hannaford Brothers, Co.'s 2007 data breach were handed a partial victory by the First Circuit on October 20th. The Court held that plaintiffs' claims for negligence and implied contract should survive Hannaford's motion to dismiss because plaintiffs' reasonably foreseeable mitigation costs constitute a cognizable claim for damages under Maine law. While this case, Anderson v. Hannaford Brothers, Co., may be read narrowly to apply only to circumstances involving actual theft and misuse of customers' data, plaintiffs' lawyers, who for years have made unsuccessful claims for damages following data security breaches, will likely attempt to broaden this holding to apply at least to other mitigation costs incurred by plaintiffs.

Continue Reading...

Site Targeting "Tweenagers" Misses the Mark: FTC Announces Settlement of Alleged COPPA Violations

The Federal Trade Commission recently announced its settlement with the operator of www.skidekids.com concerning allegations that the operator violated the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) by collecting personal information about children without obtaining parental consent. Skid-e-kids, a social networking site directed at children ages 7-14, allows children to do many of the things (e.g., share pictures and video) that adults do on Facebook and other popular social networking sites. In fact, according to the FTC, Skid-e-kids advertises itself as the “Facebook and Myspace for kids.”

Continue Reading...

Filers Beware! Court of Appeal Rejects CNIL-approved Whistleblowing System

In a decision dated September 23, 2011, the Court of Appeal of Caen suspended the implementation of a whistleblowing system that had been previously authorized by the French Data Protection Agency (CNIL) because, in the court’s view, the system infringed on the individual and collective rights and liberties of the company’s employees.

Continue Reading...

The FTC Has Your Back, Even When It's Naked: FTC Orders P2P Program's Default File Sharing Settings Changed

On October 12, 2011, the FTC announced that it, along with Frostwire LLC and FrostWire’s managing member, Angel Leon, (collectively, “FrostWire”), agreed to a stipulated final order for permanent injunction resulting from the FTC’s complaint alleging that (a) users of FrostWire’s Android mobile file-sharing application were likely to unwittingly share personal files stored on their mobile devices with other P2P users after installing and running the application, and (b) FrostWire misrepresented to users of FrostWire’s desktop file-sharing application that certain files they downloaded would not be shared with other P2P users.  

Continue Reading...

Ninth Circuit: ECPA Protects Stored Communications of Foreign Citizens

Suzlon Energy Ltd. demanded Microsoft to produce emails from the Hotmail email account of Rajagopalan Sridhar, an Indian citizen imprisoned abroad. The district court held that the Electronic Communications Privacy Act (“ECPA”) prohibited Microsoft from producing the documents even though Sridhar was not a U.S. citizen. The Ninth Circuit affirmed.

Continue Reading...