In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States

Posted on May 29, 2007 by Proskauer Rose LLP

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.

Continue Reading...
Tags: , , , , , , , , , , , , ,

First Subsidiary of a U.S. Based Multinational Company Fined for Data Protection Violations in France

Posted on May 29, 2007 by Jeremy Mittman

Last month the French subsidiary of the U.S. based company, Tyco Healthcare, became the first local branch of a U.S. company to be fined for data protection violations. France’s data protection agency, La Commission Nationale de L'informatique et des Libertes (CNIL) levied a fine of 30,000 euro (or about $40,350) against the company after it both ignored CNIL’s requests for clarification about one of its human resource databases and then made misrepresentations concerning the database to the regulatory agency.

Continue Reading...
Tags: , , , , ,

Immunity of Website Operators for Content of Others Limited by Ninth Circuit

Posted on May 18, 2007 by Proskauer Rose LLP

Imagine a website that allows people to post comments or content anonymously, to protect their privacy. Pretty common. Now imagine that the website assists the poster through an interactive online questionnaire seeking specific categories of information. Under a new ruling of the Ninth Circuit, the anonymous poster who provides the information may escape detection and liability, while the website operator may be held responsible. This is a big change in the law of website operator immunity.

On May 15, 2007, the Ninth Circuit Court of Appeals issued an opinion written by Judge Alex Kozinski that may have significant consequences for interactive website operators.

 Continue Reading...
Tags: , , , , ,

New York Attorney General Tags Worker's Compensation Claims Service Provider for Seven Week Delay in Security Breach Notification

Posted on May 11, 2007 by Brendon Tavelli

On April 26, 2007, New York Attorney General Andrew Cuomo announced that his office entered into a settlement with CS STARS LLC for violating the state’s Information Security Breach and Notification Law, which is codified at N.Y. Gen. Bus. Law § 899-aa. Cuomo’s office targeted CS STARS for delaying, for seven weeks, the issuance of legally required notification regarding the theft of a computer which contained the personal information of approximately 540,000 worker’s compensation recipients.

Continue Reading...
Tags: , , , ,

California Court of Appeal Reaffirms Adequacy of Opt-Out Notice to Protect Privacy of Individual Identity and Contact Information in Litigation

Posted on May 3, 2007 by Proskauer Rose LLP
On April 9, 2007, the California Court of Appeal, Second Appellate District, affirmed a ruling of the Los Angeles Superior Court permitting the disclosure to counsel for a putative class of the names, addresses, and telephone numbers of the defendant’s current and former employees unless, following proper opt-out notice, they objected in writing to the disclosure. Belaire-West Landscape, Inc. v. Superior Court, B194844 (April 9, 2007). The Belaire-West court applied the reasoning of the California Supreme Court's recent decision in Pioneer Electronics (USA), Inc. v. Superior Court, 40 Cal.4th 360 (2007) (discussed in our January 30 post) to employee data to hold that requiring current and former employees to object to disclosure of their identities and contact information “present[ed] no serious invasion of their privacy interests.” Continue Reading...
Tags: , , , , ,