December 2006

A number of recent developments indicate that the 110th Congress, to be seated in January, may seek to federalize data privacy laws and preempt state legislation in that area. Several data security bills were introduced in the 109th Congress; however, to date, none have passed.

Sen. Patrick Leahy of Vermont, the incoming chair of the Committee on the Judiciary, recently reiterated his commitment to enacting privacy legislation. One of Leahy’s aides noted that he expects the reintroduction of S. 1789, a bill heard by the Judiciary Committee that did not progress. In addition to creating requirements for protection of data and notification of breaches, S. 1789, at least as revised in 2005, contains the following clause: “No State may require any business entity subject to this subtitle to comply with any requirements with respect to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information.”

Senator Diane Feinstein of California, incoming chair of the Senate Committee on the Judiciary Subcommittee on Terrorism, Technology and Homeland Security, also plans to introduce legislation concerning notification of data breaches. Feinstein introduced similar legislation in 2005. That bill, which was referred to the Committee on the Judiciary, would have preempted state law only to the extent it was inconsistent.

For more on other data security bills introduced in the 109th Congress, see this Alert.

“Pretexting” is the acquisition of customer records from telecommunications carriers by fraudulent means, most commonly by pretending to be the phone customer whose information is sought. The Hewlett-Packard (“HP”) scandal, which erupted this fall and grabbed national headlines, made pretexting famous, but the practice has been a problem for years.

The issue actually came to the attention of Congress, the Federal Trade Commission (“FTC”), the Federal Communications Commission (“FCC”) and state legislatures and regulators last year when the Electronic Privacy Information Center (“EPIC”) filed a report with the FCC pointing out the existence of numerous websites advertising the sale of personal phone records.

During 2006, fifteen states, including California, passed laws banning pretexting to obtain phone records; the FTC brought enforcement actions under its unfair and deceptive trade practice authority against five online data brokers that were selling phone records; numerous state Attorneys General took action against data brokers under “little FTC Act” laws; and the FCC proposed new rules (discussed below) applicable to telecommunications carriers designed to further safeguard consumer phone records. At the beginning of the year, nearly a dozen bills addressing pretexting were introduced in Congress. The House unanimously passed H.R. 4709, the Telephone Records and Privacy Protection Act of 2006, in April, but the bill languished in the Senate throughout most of the rest of the year, gaining new life after the public revelation of HP’s pretexting in connection with its investigation of media leaks.

On December 9, 2006, the Senate approved H.R. 4709 by unanimous consent. Among other things, the statute imposes criminal liability for those who intentionally purchase or receive, or attempt to purchase or receive, customer phone records, with knowledge or reason to know that the information was obtained fraudulently. Despite criticisms of H.R. 4709 by consumer groups who object to the exception for law enforcement and who prefer the approach in other bills requiring extensive new safeguarding requirements for telecommunications carriers, the President is expected to sign the bill.

California High Court Hears Argument Regarding Invasion of Privacy Claims

On Tuesday, December 5, the California Supreme Court heard argument in the case of Taus v. Loftus, S133805. Loftus is a psychologist and UC Irvine professor who allegedly misidentified herself for the purpose of obtaining information to dispute conclusions of a case study regarding repressed memory. Loftus allegedly used public records to find Jane Doe, now identified as naval aviator Nicole Taus, the subject of a study by psychiatrist David Corwin. As a child, Taus was the subject of a child custody battle in which her father, who prevailed, claimed his daughter had been abused by her mother. Corwin interviewed Taus first as a child during her parents’ divorce, and again more than a decade later. With Taus’ consent, Corwin wrote an article in 1997 that claimed that Taus had reported abuse as a child, blocked memories of the abuse, and spontaneously recovered those memories during their subsequent interview years later. Corwin’s article identified Taus as Jane Doe.

Loftus published a two-part report in 2002 casting doubt on Corwin’s conclusions, but did not identify Taus by name. In 2003, Taus revealed her own identity when she sued Loftus, her co-author Melvin Guyer, Carol Tavris (an author of another 2002 article regarding the case), the magazine where the Loftus article appeared the Skeptical Inquirer (published by the Committee for the Scientific Investigation of Claims of the Paranormal), the University of Washington (where Loftus was employed), and Shapiro Investigations (a company that allegedly performed investigation services for Loftus). Taus’ lawsuit included claims for infliction of emotional distress, invasion of privacy, intrusion, fraud, and defamation with respect to Taus’ mental health and fitness for military duty. Taus alleged, among other things, that Loftus had obtained an interview with Taus’ former foster mother by misrepresenting that she was Corwin’s supervisor. Loftus denies that she ever made any such misrepresentation.

The case arrived at the Supreme Court on appeal from the First District Court of Appeal’s unpublished ruling in April 2005 that Taus was sufficiently likely to prove invasion of privacy against all appellants except Tavris, and defamation as alleged against Loftus, to survive an anti-SLAPP motion. Taus v. Loftus, A104689. During Tuesday’s argument, several of the Justices expressed concern regarding Loftus’ alleged misrepresentations to obtain the interview with the foster mother. Loftus argued that Taus had no expectation of privacy because she had provided consent to Corwin to publish her account and to show videotapes of the session at issue.

The case has potential implications for journalists, among others, who argue that a ruling in favor of Taus could result in lawsuits by news sources who contend, after the fact, that reporters obtained information by misrepresentation.