Brendon Tavelli : Privacy Law Blog

Home > Brendon Tavelli

Brendon Tavelli

Brendon Tavelli is an associate in the Litigation and Dispute Resolution Department and a member of the firm’s Privacy and Data Security Practice Group.With a special emphasis on state laws requiring notification in the event of data security breaches, Brendon regularly counsels clients on federal and state privacy and data security obligations. Brendon advises clients regarding legal restrictions on information-sharing and data retention, and has worked with clients to develop internal and public-facing policies addressing legal requirements and best practices for protection of customer and employee information. Brendon frequently writes on recent developments in federal and state privacy laws, and is a regular contributor to the firm’s Privacy Law Blog and the Practising Law Institute treatise Proskauer on Privacy (2006).Brendon also has experience representing clients in commercial and business litigation matters in federal and state courts in Virginia and elsewhere. Brendon received his law degree from the George Washington University Law School in 2006. While at George Washington, he served as the Executive Managing Editor of the American Intellectual Property Law Association (AIPLA) Quarterly Journal. Brendon graduated from the University of Pennsylvania with a degree in Biomedical Science in 2002. Brendon is a member of the Virginia and District of Columbia Bars and is admitted to practice before the U.S. District Courts for the District of Columbia, and the Eastern and Western Districts of Virginia.

Articles By This Author

Massachusetts Federal Judge Says ZIP Code is Definitely Maybe "Personal Identification Information" . . . Implores Parties to Seek State Court Certification.

Posted on January 12, 2012 by Brendon Tavelli

In an extension of the spate of litigation surrounding California’s Song-Beverly Credit Card Act and other laws like it, the U.S. District Court for the District of Massachusetts in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012), followed the California Supreme Court’s lead (see our blog post here) in ruling that ZIP codes are “personal identification information” within the meaning of Mass. Gen. Laws, ch. 93, § 105(a). The court refused to apply the California Supreme Court’s reasoning that the term “address” in § 105(a)’s definition of PII encompassed individual components of an address, and instead relied on a shaky analogy to PIN code to conclude that “a ZIP code can indeed be PII under section 105(a).” Id. at 12. The court nonetheless dismissed the plaintiff’s putative class action because she failed to allege any legally cognizable harm as a result of Michaels’ collection of her ZIP code in connection with a credit card transaction. The decision is a strange one for a variety of reasons, not the least of which is the court’s insistence on setting the stage of a David vs. Goliath type showdown at the outset of its opinion only to bounce the “little guy” right out of the arena, but here goes …

Tags: Data Privacy Laws, Massachusetts, Song-Beverly Credit Card Act, personal identification information, transaction form, zip code

Michaels Stores Still PINned beneath Payment Card Skimming Lawsuit

Posted on December 16, 2011 by Brendon Tavelli

In May 2011, Michaels Stores reported that “skimmers” using modified PIN pad devices in eighty Michaels stores across twenty states had gained unauthorized access to customers’ debit and credit card information. Not a pretty picture for Michaels. Lawsuits soon splattered on the specialty arts and crafts retailer, alleging a gallery of claims under the Stored Communications Act (“SCA”), the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and for negligence, negligence per se, and breach of implied contract.

Late last month, U.S. District Court Judge Charles Kocoras ruled on Michaels’s motion to dismiss. Some claims were dismissed, but others survived. The opinion presents a broad-brush survey of potential data security breach claims, with some fine detail and local color particular to this variety of criminal data security breach.

Tags: Data Breaches, Stored Communications Act, credit monitoring, data breach litigation, economic loss rule, identity exposure, negligence

Site Targeting "Tweenagers" Misses the Mark: FTC Announces Settlement of Alleged COPPA Violations

Posted on November 11, 2011 by Brendon Tavelli

The Federal Trade Commission recently announced its settlement with the operator of www.skidekids.com concerning allegations that the operator violated the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) by collecting personal information about children without obtaining parental consent. Skid-e-kids, a social networking site directed at children ages 7-14, allows children to do many of the things (e.g., share pictures and video) that adults do on Facebook and other popular social networking sites. In fact, according to the FTC, Skid-e-kids advertises itself as the “Facebook and Myspace for kids.”

Tags: COPPA, Children's Online Privacy Protection Act, Federal Trade Comission, children, online, settlement

ZIP-lined Out of Court: Williams-Sonoma Obtains Dismissal of New Jersey ZIP Code Collection Suit

Posted on October 4, 2011 by Brendon Tavelli

On September 26, Judge William Walls of the U.S. District Court for the District of New Jersey ruled that a putative class action lawsuit against home goods retailer Williams-Sonoma failed to state a claim under New Jersey law. In Feder v. Williams-Sonoma Stores, Inc., the plaintiff sought damages for purported violations of New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”) after a Williams-Sonoma employee allegedly required the plaintiff to provide her zip code as part of a credit card transaction. The TCCWNA prohibits, among other things, the offering, entering into, giving or displaying a written consumer contract or notice “which includes any provision that violates any clearly established legal right of a consumer” under New Jersey or Federal law. In somewhat confusing fashion, the plaintiff’s complaint alleged that the electronic credit card transaction forms into which Williams-Sonoma enters consumers’ zip codes constituted consumer contracts that were subject to TCCWNA and that the collection of consumer zip codes on such forms violated the TCCWNA.

Tags: Data Privacy Laws, New Jersey, dismiss, litigation, personal information, zip code

Veto, Veto, Pass! New Governor Means New Breach Notification Law in California

Posted on September 7, 2011 by Brendon Tavelli

On Wednesday, August 31, 2011, California became the third state this year to amend its existing security breach notification law when Governor Jerry Brown signed into law Senate Bill 24 (“SB 24”). Interestingly, the bill also marks the third time (in three years) that a bill attempting to beef up the state’s breach notice law has landed on the Governor’s desk. Former Governor Arnold Schwarzenegger vetoed the previous two. SB 24’s specific changes, while far from sweeping, include the addition of content requirements for notice letters to individuals and a requirement to send a sample letter to the state’s attorney general if more than 500 people are affected by a breach.

Tags: California, Security Breach Notification Laws, attorney general, breach notification, security breach

Proskauer Lawyers Help Secure Victory for DNA Privacy Rights

Posted on August 29, 2011 by Brendon Tavelli

On August 25, 2011, the Massachusetts Appeals Court, in a case of first impression, ruled that the state crime lab’s retention of an individual’s DNA sample beyond the limitations promised to him by the police when they took the voluntary sample state a claim for invasion of privacy, and for violation of the state’s Fair Information Practices Act (“FIPA”). The court’s clear holding that DNA is private information in which citizens have a reasonable expectation of privacy; that the government may not unilaterally determine how long it will retain such information, but must justify that decision; and that the state must honor limitations on consent volunteered by police officers in collecting such information, are all matters of first impression in Massachusetts.

Tags: DNA, Invasion of Privacy, Massachusetts, fair information practices act

"Illinois-ed" About the Lack of Useful Information in Breach Notices? Illinois Amends Breach Notice Law to Specify Notice Content, Cooperation

Posted on August 24, 2011 by Brendon Tavelli

On August 22, Illinois Governor Pat Quinn signed House Bill 3025 into law. In doing so, he aligned Illinois with a small group of states responding to increased concern about privacy and information security by retooling their existing information security breach notification frameworks. HB3025, in particular, amends the state’s breach notification law to specify both the types of information that should be provided to notice recipients and the breach notice obligations of service providers that maintain or store, but don’t own or license, personal information about Illinois residents.

Tags: Illinois, Security Breach Notification Laws, amendment, legislation, security breach

You, NOT the Newspapers, Should Report a Breach: WellPoint to Pay $100,000 to Indiana AG for Delayed Breach Notification

Posted on July 11, 2011 by Brendon Tavelli

On July 5, 2011, Indiana Attorney General Greg Zoeller announced a settlement with health insurer WellPoint, Inc. The settlement resolves allegations that the company failed to promptly notify the Attorney General’s office of a data breach as is required by the Indiana Disclosure of Security Breach Act. As part of the settlement, WellPoint will pay a fine of $100,000 and provide certain identity-theft-prevention assistance to consumers affected by the breach. Interestingly, the settlement includes an admission by WellPoint that the company failed to comply with the law by not notifying Zoeller’s office “without unreasonable delay.”

Tags: Data Breaches, Indiana, attorney general, data breach, notification, security breach

Let us tell you how we see this going down: White House publishes cybersecurity legislative proposal

Posted on May 18, 2011 by Brendon Tavelli

On May 12, 2011, the Obama Administration released its legislative proposal concerning cybersecurity. The proposal comes almost two years after the President identified cyber threats and protecting our digital infrastructure as “one of the most serious economic and national security challenges we face as a nation” in his Cyberspace Policy Review. The Administration’s legislative proposal includes a number of proposals to update existing federal cybersecurity laws and regulations in order to protect the Nation against cyber threats. The stated focus of the proposal is to shore up cybersecurity measures to protect the American people, the Nation’s critical infrastructure, and the Federal Government’s networks and computers while providing a framework for safeguarding individual privacy and civil liberties.

Tags: Cyber Security, Data Privacy Laws, White House, data breach, data security, legislation

Bay State "Brings It": Attorney General Enters Consent Agreement with Restaurant Group for Data Security Failures

Posted on April 7, 2011 by Brendon Tavelli

On March 28, 2011, the Massachusetts Superior Court issued a Final Judgment by Consent between the Commonwealth and Briar Group, LLC that resolves allegations that Briar Group failed to take measures to protect consumer credit and debit card information. The Final Judgment stems from an April 2009 information security breach in which outside hackers used malware to gain access to Briar Group’s computer systems and extract payment card information about the company’s restaurant and bar customers. Pursuant to the Final Judgment, Briar Group must pay $110,000 to the Commonwealth, establish a written information security program (“WISP”), and implement a number of other information security measures to help protect customer data.

Tags: Data Breaches, Massachusetts, data security, information security program, personal information, settlement