Privacy Law Blog : July 2007

Home > July 2007

Oregon Becomes 38th State to Adopt Breach Notification Law

Posted on July 31, 2007 by Proskauer Rose LLP

On July 12th, Oregon Governor Theodore R. Kulongoski signed into law S.B. 583, an omnibus data security bill scheduled to take effect on October 1. Oregon is the 38th state to enact a breach notification law (37 states have legislation that applies to private entities); the District of Columbia and Puerto Rico also have similar legislation. Continuing a five-year-old national legislative trend, Oregon lawmakers greenlit provisions requiring state businesses and government agencies to notify residents of certain kinds of data breaches.

Tags: Security Breach Notification Laws, breach notification, data security, information security program, security breach

Ninth Circuit Applies Pen Register and Mail Principles to Warrantless Monitoring of Internet Traffic

Posted on July 26, 2007 by Proskauer Rose LLP

In a novel case, the Ninth Circuit ruled on July 6, as amended July 25, that government surveillance of Internet Protocol (“IP”) addresses visited, to/from addresses of emails, and the total volume of information sent to or from an email account does not violate the Fourth Amendment. United States v. Forrester, No. 05-50410, -- F.3d -- (9th Cir. July 6, 2007). The ruling does not affect the requirement that the government obtain a search warrant before searching the actual content of that Internet traffic.

The defendant in United States v. Forrester, Dennis Louis Alba, was charged and convicted of various federal offenses relating to the operation of an Ecstasy-manufacturing laboratory. During the government’s investigation of Alba, it installed a device on Alba’s computer that gathered the IP addresses of the websites he visited, the to/from addresses of his emails, and the total volume of information sent to or from his email account. In his appeal, Alba contended that the surveillance constituted a warrantless search in violation of the Fourth Amendment and fell outside of the then-applicable pen register statute. The Ninth Circuit addressed the merits of Alba’s first contention, but found it unnecessary to address the second.

The Ninth Circuit applied the Supreme Court’s analysis in Smith v. Maryland, 442 U.S. 735 (1979), in which the Court held that a pen register does not constitute a Fourth Amendment search. The Court so held because pen registers merely track phone numbers dialed and do not reveal the actual contents of conversations. Cf. Katz v. United States, 289 U.S. 347 (1967) (holding that one can have legitimate expectation of privacy in the contents of one’s phone conversations). The Ninth Circuit reasoned that the government’s surveillance of Alba’s activity was “constitutionally indistinguishable” from surveillance via a pen register because accessing IP addresses involves the transmission and receipt of a unique identifier, which does not reveal actual content, via the third-party equipment of an internet service provider. An Internet user therefore does not have a legitimate expectation of privacy in the IP addresses he or she accesses.

Tags: Fourth Amendment, Internet, Ninth Circuit, Online Privacy

Court Rules that Legitimate Privacy Concerns Do Not Outweigh SEC's Interest in Discovering Relevant Financial Records in Backdating Matter

Posted on July 13, 2007 by Proskauer Rose LLP

Balancing privacy and evidentiary interests in a stock option backdating matter, the Northern District of California held on June 11, 2007 that the SEC’s interest in obtaining banking account information of defendant Gregory Reyes, ex-CEO of Brocade Communications, outweighs Reyes’ financial history privacy interests. SEC v. Reyes, No. C 06-04435 CRB (N.D. Cal. 2007).

In discovery, Reyes produced "highly redacted" information relating to his transactions. The SEC then issued subpoenas duces tecum to Merrill Lynch and Deutsche Bank, seeking information about Reyes’ accounts. Reyes responded with a motion to quash the subpoenas, arguing that he had already disclosed all information relating to his transactions in Brocade, and that his privacy interest outweighed the SEC’s interest in obtaining additional non-Brocade information.

Tags: Financial Privacy, SEC, backdating, privacy interests

CAN-SPAM Preempts California Anti-Spam Laws

Posted on July 6, 2007 by Proskauer Rose LLP

In a recent decision, the Northern District of California held that e-mail harvesting without permission may give rise to a cause of action under the California Penal Code and based on common law misappropriation. More striking, however, was the court’s ruling that the federal CAN-SPAM Act, 15 U.S.C. § 7701 et seq., preempts two California anti-spam statutes. Facebook, Inc. v. ConnectU LLC, --- F.Supp.2d ---, 2007 WL 1514783 (N.D. Cal. 2007).

In the litigation, Plaintiff Facebook, Inc. contends that Defendant ConnectU, Inc. violated several federal and state statutes and engaged in common law misappropriation when it collected e-mail addresses of Facebook’s registered users and then sent them commercial e-mail, encouraging them to switch to ConnectU. Among its claims, Facebook argues that ConnectU violated California Penal Code § 502(c), California Business and Professions Code §§ 17529.4 and 17538.45, and CAN-SPAM, 15 U.S.C. § 7701 et seq. ConnectU moved to dismiss several of these claims, pursuant to Federal Rule of Civil Procedure 12(b)(6).

Tags: CAN-SPAM, California Penal Code § 502(c), email harvesting, misappropriation, preemption