EU Data Protection Watchdog Supports Data Breach Notification Law

The European Data Protection Supervisor (EDPS) has come out in favor of the EU enacting data security breach notification laws.

The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good data protection practices within the EU, both by monitoring the EU administration’s own data processing, as well as by commenting on pending legislation.

Continue Reading...

Iowa Enacts 43rd State Breach Notification Law

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.  Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Continue Reading...

No Doubt No Reasonable Suspicion Required -- Laptops Now Fair Game at the Border

My very first blog post addressed a precedent-setting decision of the Central District of California holding that federal agents could not conduct a border search of the private and personal information stored on a traveler’s computer hard drive or electronic storage devices without reasonable suspicion. Eighteen months later, the Ninth Circuit has squarely reversed that decision. In a short opinion filed April 21, 2008, Judge O’Scannlain wrote in U.S. v. Arnold, No. 06-50581, that "reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border." As far as the Ninth Circuit is concerned, for purposes of border searches under the Fourth Amendment, laptops and other electronic storage devices are not so much like a home or the human mind – they are more akin to luggage or a car.

Continue Reading...

European Commission Data Protection Working Party Issues Opinion on Search Engine Data Protection

The European Commission Article 29 Data Protection Working Party (“Working Party”) recently released its opinion on data protection issues related to search engines. The opinion specifically addresses the applicability of the Data Protection Directive (95/46/EC) and the Data Retention Directive (2006/24/EC) to the processing of personal data by search engines.

Continue Reading...

Federal Trade Commission Announces Settlement with TJX Over Inadequate Security Practices

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and appropriate security for consumer information. In addition to implementing a comprehensive security program, TJX will be required to obtain periodic security audits to provide reasonable assurances that personal information is being adequately protected.

Continue Reading...

Immunity Under the CDA Has Its Limits According to Two Recent Federal Court Decisions

Website Operator Can Be Held Liable for State Intellectual Property Violations

A federal district court in New Hampshire recently ruled that Section 230 of the Communications Decency Act of 1996 (“CDA”) does not prevent a state law right of publicity claim against a Website operator. In Doe v. Friendfinder Network, Inc., No. 07-286, 2008 WL 803947 (D.N.H. March 27, 2008), a profile of the plaintiff, including a nude photo and biographical information, was posted by an unknown third party on AdultFriendFinder.com, an online swingers community, without the plaintiff’s knowledge or consent. The plaintiff asserted eight claims against the Website for, among other things, invasion of privacy (including violation of her right of publicity), defamation and false designation in violation of the Lanham Act. On the site’s motion to dismiss, the district court found that all of plaintiff’s claims were barred by the CDA, except her false designation and right of publicity claims. In so holding, the district court challenged and criticized a recent Ninth Circuit decision regarding the CDA’s immunity.

Continue Reading...

More Breach Notification Laws -- 42 States and Counting

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma).  Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

Continue Reading...

Consumer Advocates Target Online Behavioral Advertising: Broad Regulation Threatens to Impede Delivery of Relevant Advertising and Business Models for Free Online Content

In the wake of the December 2007 FTC statement proposing self-regulatory principles for businesses that are engaged in online behavioral targeting (click here for earlier blog post), that activity has continued to provoke consumer groups who advocate for government regulation. The legislature in New York has taken notice and is considering a first of its kind bill, the Third Party Internet Advertising Consumer's Bill of Rights Act of 2008, to regulate third parties Internet advertisers’ tracking activities. The New York legislature’s activity coincides with significant opposition in the European Union to online behavioral advertising practices.   

Online behavioral targeting is the process of tracking online users’ behavior and serving ads tailored to that behavior. While the methods vary, the primary methods used online are cookie-based, conveying to advertisers web pages a user visits. Companies may also use search data. This information is sometimes combined with demographic data such as geographic location, to help further personalize advertisements. Glossed over by consumer groups is the fact that tracking usually is conducted anonymously with data collected linked only to a computer’s Internet Protocol (IP) address, not name or other personally identifiable information. In addition, responsible Internet companies are expected to provide clear notice and opportunities for consumers not to participate in such programs. Still, consumer groups have seized on reports of Internet Service Providers contracting with companies such as Nebu-Ad, Phorm and Adzilla who use so-called “deep packet inspection” to collect data on every page a user visits rather than just those that are part of an online advertising network. 

The ongoing debate over online behavioral targeting is significant not only because such targeting enables consumers to receive ads that are more relevant and useful to them, but as the FTC has recognized, restrictions that inhibit companies’ ability to obtain advertising revenue may fundamentally affect the ability of the Internet to continue to offer valuable content for free.

Continue Reading...

SEC Seeks to Better Protect Investors' Privacy With Proposed Amendments to Regulation S-P

In light of growing concerns over identity theft, data breaches, and the hacking of online brokerage accounts, the Securities and Exchange Commission (“SEC”) has recently proposed new amendments to Regulation S-P – the SEC’s existing privacy rules mandated under the Gramm-Leach-Bliley Act. The SEC’s unanimous approval of these proposed rules signals the Commission’s desire to more closely align its privacy guidelines with those of the Federal Trade Commission (“FTC”) and the Federal Banking Agencies, which adopted data breach notice rules in 2005. For regulated companies, however, the amendments could mean additional costs and liabilities.

Continue Reading...

FTC Sets Sights on Goal: Student Lender Taken to School for Data Security Breakdowns

On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.

According to the FTC's Complaint, Goal Financial "failed to provide reasonable and appropriate security for consumers' sensitive personal information" starting no later than September 1, 2004. The company's faulty security practices allowed employees to transfer over 7000 consumer files containing personally identifying information and financial histories to third parties. Additionally, in 2006 a Goal Financial employee allegedly sold company hard drives containing sensitive personal information of approximately 34,000 consumers in readable text.

Continue Reading...