Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In a draft research paper titled "Empirical Analysis of Data Breach Litigation", three prominent scholars have collected and analyzed a sample of over 230 federal data breach lawsuits in order to deduce just what makes them tick.

Romanosky, Hoffman and Acquisti examined, for example, what factual and legal characteristics made a company more likely to be sued for a breach of personal data, and what made a data breach lawsuit more likely to settle.

As an interesting example, they found that the odds of a company being sued over a data breach are six times lower when the company offered free credit monitoring following the breach. They also examined the probability of lawsuit and settlement as a function of the causes of the breach and the types of data lost.

The researchers provided some very interesting summary data. For example, by coding data within the federal complaints, they found 87 unique causes of action brought by plaintiffs' attorneys. They also provided information on settlement amounts, attorney's fees awards and cy pres awards.

Any lawyer who handles data breach cases would likely find this article to provide valuable insights.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A federal district court dismissed an action against an employer alleging vicarious liability for an employee’s dissemination of a patient’s protected health information (PHI) related to treatment for a sexually transmitted disease (STD). Specifically, the court found that the employer, a private New York medical clinic, was not vicariously liable for the actions of the employee because the employee was acting in a personal capacity which was beyond the scope of her employment.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It may seem obvious to a lay person that employees should refrain from insulting their companies on social media due to the threat of termination for cause; however, there are contradictory legal principles that apply to the use of social media by employees which can be used both for and against employees (i.e. freedom of speech, right to privacy, data protection laws, an employer’s right to take disciplinary action, public insult offense, etc.) As a consequence, there is uncertainty as to whether an employer can use its employees’ postings made on social media websites to sanction them.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On February 22, 2012, California’s Attorney General, Kamala D. Harris, entered into an agreement with several leading providers of mobile devices and app stores to increase consumer privacy protection for mobile applications or “apps.” Under the agreement’s terms, these companies have agreed to redesign their app stores to provide a location for app developers to display their privacy policies.

California has long taken privacy – including technology-related privacy – seriously. Article 1, Section 1 of the California Constitution recognizes privacy as an inalienable right. California’s Online Privacy Protection Act of 2003 (“CalOPPA”) provides substantial consumer privacy protection by requiring any “operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California” to post a conspicuous privacy policy detailing, for example, the categories of personally identifiable information collected from users and the categories of third-parties with whom the information may be shared.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On February 23, 2012, the White House issued a proposal to adopt a Consumer Privacy Bill of Rights. The new proposal is part of the Administration’s efforts to adopt a comprehensive consumer data privacy framework that applies to all personal data, defined as any data that can be linked to a specific individual or device. The Administration’s efforts are also intended to bring about conformity with the privacy principles that have become the norm in other countries such as in Europe, thereby increasing interoperability between the U.S. privacy framework and that which has arisen in the rest of the world.

For now, the Consumer Privacy Bill of Rights is still a blueprint and does not include enforceable rules, but the Administration is pursuing implementation through legislation and a multistakeholder rule-making process.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a move that will no doubt please many consumers, on February 15, 2012, the Federal Communications Commission approved a new set of rules aimed to substantially curb the practice of telemarketers to engage in "robocalling", or the placing of automatic, pre-recorded calls. The key development in the FCC's 48 page Report and Order is that now, prior to initiating a "robo call", a telemarketer must obtain the consumer's express written consent.  This new requirement of express written consent supplants the previous robocalling regime, where merely having an "existing business relationship" with a consumer was sufficient to create an exemption from the ban against robocalling; that exemption has now been eliminated under the rules. 

• Email This
• Print
• Trackbacks
• Share Link

Whether your six year old has hijacked your iPad again to rediscover the inexplicable joy of flinging birds with a finger activated slingshot or to harness her mighty math powers in the origami-paved streets of Umi City, children are tapping into the spring of entertainment and educational value offered by the mobile applications marketplace. Yet, according to a study issued last week by the Federal Trade Commission “Mobile Apps for Kids: Current Privacy Disclosures are DisAPPointing”, the lack of privacy disclosures in these apps may hint at deeper laden privacy pitfalls which members of the kids app ecosystem may soon have to remedy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Litigants navigating the conflict between U.S. discovery obligations and foreign data protection laws have a new ally, the American Bar Association (“the ABA”). The ABA recently passed Resolution 103, which “urges” that:

[W]here possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 19, 2012, Minnesota Attorney General Lori Swanson exercised her authority under the HITECH Act by filing a lawsuit against a business associate for the failure to protect protected health information (PHI) and for the failure to disclose the extent to which PHI was utilized. The case alleges that Accretive Health, Inc., a debt collection agency, lost a laptop containing unencrypted PHI of approximately 23,500 Minnesota patients. This represents the first case brought by a state attorney general under HIPAA. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

After introducing a draft of its Mobile Application Privacy Policy Framework (“Framework”) in mid-October for public comment, the Mobile Marketing Association ("MMA") recently released the final version of the Framework.  

The Framework provides a general starting point that application developers can refer to when drafting their application privacy policies. The Framework includes model language to address the following questions and topics regarding the application’s and developer’s privacy practices:

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

The Illinois Personal Information Protection Act (PIPA) requires that any “data collector”, which includes businesses, universities, governmental agencies or any other entity that deals with personal information, notify Illinois residents in the event of a data security breach. Recently, the Office of Illinois Attorney General Lisa Madigan issued guidance that provides tools to assist entities in preventing, preparing for and responding to data security breaches. The guidance suggests that entities assess the amount of personal information on file, reduce the amount of personal information available within the entity, protect the information accordingly and train employees to properly manage the information. In order to respond quickly and efficiently to a data security breach, the guidance encourages entities to create and implement an incident response plan that includes the PIPA notice requirements.     

For additional information about the Information Security and Security Notification Guidance, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link