June 2010

On June 25, 2010, Judge Richard Berman of the U.S. District Court of the Southern District of New York granted summary judgment to The Bank of New York Mellon Corp. in Hammond v. The Bank of New York Mellon Corp., dismissing in its entirety a putative class action lawsuit arising from the loss of backup tapes containing personal information in the spring of 2008. Judge Berman’s dismissal represents yet another in a long, and still growing, line of cases standing for the proposition that without more, the mere exposure of personal information is not an adequate basis for a lawsuit.

The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter’s promises on its website to protect the personal information of its users, Twitter’s practices failed to provide reasonable and appropriate security. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users.

In an important decision for employers, the U.S. Supreme Court unanimously overturned a decision by the U.S. Court of Appeals for the Ninth Circuit in a case involving an employee’s assertion that a government employer had violated the Fourth Amendment by unreasonably obtaining and reviewing personal text messages sent and received on employer-issued pagers. The decision, a victory for employers, provides helpful guidance for management of electronic communication systems and workplace searches. Read this alert to learn more about the decision and how it may affect you.

As we’ve discussed in prior posts, newly effective regulations promulgated under Massachusetts’ recent data security law, Mass. Gen. Law ch. 93H, have raised the bar for data security compliance, and they have a long reach.  The regulations are national and international in scope, as they apply to all companies –

On May 28, 2010, in an unpublished decision, the U.S. Court of Appeals for the Ninth Circuit affirmed the California district court’s dismissal of a class action lawsuit against retailer Gap, Inc. because, among other things, the plaintiff failed to show that the loss of his personal information harmed him in a legally cognizable way. The Ninth Circuit’s decision echoes those issued in every “identity exposure” lawsuit to date: an increased risk of identity theft does not a lawsuit make!