‘Patco Construction Co., Inc. v. People’s United Bank’ ‘online banking’ authentication
On July 3, 2012, Orange County Superior Court Judge Nancy Wieben Stock issued a ruling dismissing a California “Shine the Light” consumer protection law case without leave to amend, making it the first “Shine the Light” case to come to a final decision in a trial court. Judge Stock dismissed the case against XO Group Inc…. Continue Reading
In a draft research paper titled "Empirical Analysis of Data Breach Litigation", three prominent scholars have collected and analyzed a sample of over 230 federal data breach lawsuits in order to deduce just what makes them tick. Romanosky, Hoffman and Acquisti examined, for example, what factual and legal characteristics made a company more likely to… Continue Reading
On February 22, 2012, California’s Attorney General, Kamala D. Harris, entered into an agreement with several leading providers of mobile devices and app stores to increase consumer privacy protection for mobile applications or “apps.” Under the agreement’s terms, these companies have agreed to redesign their app stores to provide a location for app developers to display their privacy policies.
On February 23, 2012, the White House issued a proposal to adopt a Consumer Privacy Bill of Rights. The new proposal is part of the Administration’s efforts to adopt a comprehensive consumer data privacy framework that applies to all personal data, defined as any data that can be linked to a specific individual or device. The Administration’s… Continue Reading
Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them? How could that be, you ask? Because Texas said so. (Does that surprise you?) Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of… Continue Reading
Want to know how you can protect your company from Wikileaks debacles the likes of which have been faced by the U.S. government as well as private companies. Check out this recent article by Proskauer’s Dan Winslow and Kristen Mathews.
Yesterday, we blogged about the FTC’s report released last week, “Protecting Consumer Privacy in an Era of Rapid Change.” But if the FTC’s recommendations become requirements, how would they change what the typical company is doing today?
Following the success of our Annual Proskauer on Privacy Conference in New York, we are taking the program on the road and invite you to attend our first Proskauer on Privacy: Boston Edition. Presented by the firm’s Privacy and Data Security Group, this conference will focus on the latest developments in this area of law…. Continue Reading
Still don’t really understand all the media attention on Facebook’s, Twitter’s and Google’s user privacy woes? In a recent video interview by Bloomberg‘s Spencer Mazyck, Proskauer’s Kristen Mathews explained the issues in a way that anyone can understand. In this video interview, Mathews discussed the background of the recent media scrutiny over Facebook’s and Myspace’s… Continue Reading
If the European Commission has anything to say about it, starting about 18 months from now companies will have to start obtaining consent from Web site visitors to place cookies on their computers. Last week, the European Parliament approved amendments to Europe’s e-Privacy Directive (see page 76, item 5) requiring, among other things, that operators… Continue Reading
In response to feedback received at a public hearing held in September, the Massachusetts Office of Consumer Affairs and Business Regulation has released what it purports to be final regulations under Massachusetts’ "Act Relative to Security Freezes and Notification of Data Breaches," which was enacted in Jul 2007. Regulation 201 CMR 17.00 ("Standards For The… Continue Reading
A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.” Should mere contact information be afforded greater protection? One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone… Continue Reading
The U.S. District Court for the District of Columbia has ruled that the Federal Trade Commission’s Red Flags Rules cannot be enforced against lawyers, saying that the FTC’s interpretation of the Fair and Accurate Credit Transactions Act overreaches, and its application to lawyers is unreasonable. Judge Reggie Walton said he had trouble accepting the FTC’s… Continue Reading
Since the Third Circuit said so, in its September 22, 2009 decision in AT&T v. Federal Communications Commission (No. 084024). Most privacy practitioners would not consider a legal entity to have privacy rights. Rather, a legal entity may have trade secrets or contractual confidentiality protections. However, in its novel holding, the Third Circuit found that… Continue Reading
On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning… Continue Reading
The first lawsuit challenging Maine’s Act to Prevent Predatory Marketing Practices Against Minors has concluded. The District of Maine issued a Stipulated Order of Dismissal on September 9, stating that there is a likelihood that the statute is "overbroad and violates the First Amendment", and putting third parties "on notice" that a private suit "could… Continue Reading
Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts’ data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010. (Previous to an earlier extension, the compliance deadline was May 1, 2009.) The revised regulations emphasize… Continue Reading
In mid-September, Maine’s “Act to Prevent Predatory Marketing Practices against Minors” is scheduled to take effect. Due to the lack of a scienter element in several of the requirements of this new law, this Act could have far-reaching consequences for all businesses that engage in direct marketing or that sell or transfer personal information to… Continue Reading
In the context of wireless network security, we hear a lot about WEP vs WPA, but these technologies are not widely understood, especially among attorneys. WEP and WPA are two alternative ways to secure a wireless network from unauthorized interception, and WPA is more secure than WEP. In fact, researchers have reported consistently for several… Continue Reading
I don’t know, but I could probably find out. There is an increasing amount of discussion within the information security industry about whether the use of “security questions” to unlock forgotten passwords is a sound practice. Many web sites ask users to answer personal questions upon registration, so that those questions and answers can be… Continue Reading
Last month, we blogged about whether the Red Flag Rules apply to medical care providers. According to the FTC, they may also apply to retailers. The Federal Trade Commission’s recently released “how-to” guide says that the Red Flag Rules apply to “retailers that offer financing or help consumers get financing from others, say, by processing credit applications.” However, most… Continue Reading