A New Jersey bill which prohibits unwanted text message advertisements has been sent to the Governor for final consideration. A. 617, which passed unanimously in the Assembly June 26 and in the Senate Sept. 22, if signed into law, would make it illegal to send a text message advertisement to a New Jersey resident if it caused the recipient to incur a telecommunications charge or a usage allocation deduction. Sponsors of the bill noted an increasing number of complaints from consumers regarding unsolicited text messages advertising goods and services. The bill would also bar text message advertisements without prior express authorization from the recipient that includes the number to which the text message may be sent. The bill provides for an exception in the event an advertiser could demonstrate that the unsolicited text message advertisement was an isolated message sent no more than once in a 12-month period. In addition, the bill requires telecommunications companies that sell text messaging services to offer an option allowing customers to block all incoming and outgoing text messages. According to the sponsors’ statement, violations would be subject to a maximum penalty of $10,000 for a first offense and $20,000 for a subsequent offense.
The New Jersey bill is following closely behind a similar Connecticut law passed in early July. The Connecticut legislation amended the state’s existing telemarketing law to cover unsolicited marketing text and media messages as well as phone calls. The amended law prohibits, among other things, sending unsolicited marketing text messages and unsolicited marketing “media messages” without first obtaining prior express written consent (as defined by the FCC’s Rules for Telephone Consumer Protection Act). As revised, the Connecticut law provides for a maximum fine of $20,000 per unsolicited message and a violation of the law constitutes a violation of the Connecticut Unfair Trade Practices Act, which provides for a private right of action.
In addition, California, Rhode Island and Washington all have laws on the books that regulate the ability of companies to send text message advertisements.
On the Federal level, the Telephone Consumer Protection Act also requires prior express written consent when auto-dial technology is used to send promotional messages. Since the various laws applicable to text messages have different scopes of application and consent definitions, companies should continue to monitor text message requirements nationwide and ensure their marketing programs are in line with the law.
On September 30, 2014, California took further steps to protect the personal information of its residents by amending several sections of its breach notification and information security laws (Cal. Civ. Code §§ 1798.81.5, 1798.82 and 1798.85). The amended law, which is effective January 1, 2015, updates existing law in three significant ways:
- Under current law, businesses that own or license personal information about a California resident must implement reasonable security procedures and practices appropriate to the nature of the information. This requirement is expanded to also include entities that merely “maintain” such personal information.
- Under current law, businesses that own or license personal information may be required to issue a security breach notification to affected individuals in the event of a breach where an individual’s social security number or driver’s license number may have been exposed. The amended law provides that if the entity providing the notification was the source of the breach, an offer to provide identity theft prevention or mitigation services, if any, must be made at no cost to the affected person for at least 12 months, along with all information necessary to take advantage of the offer. The breach notification requirement does not apply to entities that merely “maintain” personal information. Given the words “if any,” and the ambiguity as to whether those words refer to the availability of credit monitoring services in the marketplace or to whether the business has chosen to offer it, it is not clear from the law whether this constitutes an absolute requirement to offer credit monitoring services to affected individuals. That said, we note that the bill’s co-author, Assemblyman Roger Dickinson, stated his view in a recent interview with Law360 that the offer to provide credit monitoring services is mandatory when a driver’s license number or social security number was breached.
- Under current law, a business may not publicly disclose an individual’s social security number or engage in other acts that might compromise its security. The amended law clarifies that except as permitted by law, a person or entity may not sell, advertise for sale, or offer to sell an individual’s social security number.
For purposes of #1 above, the amended law defines the term “maintain” to include personal information that a business maintains but does not own or license. This appears to include entities that host or otherwise retain data for others, such as “cloud” storage companies and businesses that collect information but do not own or license it. These entities will need to implement and maintain reasonable security procedures and practices to the extent that the data it collects contains personal information. That said, the law provides that such security procedures and practices are scalable; they should be “appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Traditionally, a person’s most valuable assets to be distributed upon death consisted of tangible items such as real property, cash, jewelry and personal effects of sentimental value like photographs and letters. However, the advent of the digital age has brought a shift from file cabinets, mailmen and photo albums to cloud storage, e-mail accounts and online photo streams. Today, virtually everyone has at least some assets that are not physical, but are stored as data and accessed via the Internet. “Digital assets” may include, for example, text messages, instant messaging accounts, e-mails, documents, audio or video images and sounds, social media content, health insurance records, source code, software, databases, online bank accounts, blogs, and the user names and passwords necessary to access online accounts, among other things. More specifically, consider a person’s PayPal or Venmo accounts, which might contain large sums of money, or Google, Yahoo, Facebook or Instagram accounts, which might contain letters, pictures, videos and other items of intrinsic value. The steady growth of most individuals’ online presence has given rise to a novel legal issue – authority over administering the digital assets and accounts of an account holder upon death or disability. Continue Reading
The European Court of Justice, in a decision rendered on May 13, 2014, held that search engines are considered data controllers under the Directive of October 24, 1995 on data protection, and as such they must provide data subjects with a “right to be forgotten.” Continue Reading
A substantial rise in schools’ use of online educational technology products has caused educators to become increasingly reliant on these products to develop their curricula, deliver materials to students in real time, and monitor students’ progress and learning habits through the collection of data by third-party cloud computing service providers. Unfortunately, with these advances come the data security concerns that go hand-in-hand with cloud computing—such as data breaches, hacking, spyware, and the potential misappropriation or misuse of sensitive personal information. With the Family Educational Rights and Privacy Act (FERPA)—federal legislation enacted to safeguard the privacy of student data—in place for four decades, the education sector is ripe for new standards and guidance on how to protect students’ personal information in the era of cloud computing. California has tackled this issue head on, with the passage of two education data privacy bills by its legislature on August 30, 2014. Senate Bill 1177 and Assembly Bill 1442 (together, the Student Online Personal Information Protection Act (SOPIPA)) create privacy standards for K-12 school districts that rely on third-parties to collect and analyze students’ data, and require that student data managed by outside companies remain the property of those school districts and remain within school district control. Continue Reading
In a recent article published by Law 360, Proskauer litigation associate Courtney Bowman outlines how companies can make inroads in the e-commerce market in the Middle East and North Africa (MENA). Although often overlooked, the region’s relative wealth and level of internet penetration make its more stable areas attractive markets for those companies willing to undertake the steps necessary to understand the region’s cultural nuances and customer preferences. Two of the most significant barriers to e-commerce growth in MENA is the widespread reluctance of customers to shop online due to fears about the security of online transactions, as well as the low rate of credit card use in the region. As the article notes, however, e-commerce companies willing to offer solutions tailored to address these concerns, such as cash cards and m-payment systems, may be poised to establish a potentially lucrative presence in this part of the world.
Corporate Counsel published an article authored by Nolan Goldberg, Senior Counsel, Intellectual Property and Technology, concerning the recent decision compelling Microsoft to produce e-mails located on foreign servers. The article, entitled “Is the Flap Over Microsoft Emails in Ireland Overblown?”, provides a counter-point to critics who believe that Judge Preska’s Order will have broad implications for the U.S. technology industry.
Capital One Financial Corp. (“Capital One”) and three collection agencies have agreed to pay one of the largest settlement amounts in history — $75.5 million — to end a consolidated class action lawsuit alleging that the companies used an automated dialer to call customers’ cellphones without consent in violation of the twenty-two-year-old Telephone Consumer Protection Act (“TCPA”). Judge Holderman of the Northern District of Illinois preliminarily approved the settlement in late July. Continue Reading
In April, Microsoft tried to quash a search warrant from law enforcement agents in the United States (U.S.) that asked the technology company to produce the contents of one of its customer’s emails stored on a server located in Dublin, Ireland. The magistrate court denied Microsoft’s challenge, and Microsoft appealed. On July 31st, the software giant presented its case in the Southern District of New York where it was dealt another loss. Continue Reading
On August 7, 2014 the PCI Security Standards Council issued new guidance to supplement PCI DSS Requirement 3.0 and help organizations reduce the risks associated with entrusting third-party service providers (“TPSPs”) with consumer payment information. More and more merchants use TPSPs to store, process and transmit cardholder data or manage components of the entity’s cardholder data environment. A number of studies have shown that breach is tied increasingly to security vulnerabilities introduced by third parties. To combat such risk, a PCI special interest group made up of merchants, banks and TPSPs, together representing more than 160 organizations, created practical guidelines for how merchants and their business partners can work together to comply with the existing PCI standard and protect against breach. Continue Reading
On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient health records. The regulations and laws at issue were Mass. G.L. c. 93A, Mass. G.L. c. 93H and its implementing regulations codified at 201 C.M.R. 17.00 et. seq., as well as federal regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). Continue Reading
As we’ve previously reported, cyber risks are an increasingly common risk facing businesses of all kinds. In a recent speech given at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar emphasized that cybersecurity has grown to be a “top concern” of businesses and regulators alike and admonished companies, and more specifically their directors, to “take seriously their obligation to make sure that companies are appropriately addressing those risks.” Continue Reading