Kristen J. Mathews - Privacy Law Blog

Door to Increased Liability for Banks Opened by U.S. Court of Appeals for the First Circuit

Kristen J. Mathews — Thu, 19 Jul 2012 16:40:10 -0500

The United States Court of Appeals for the First Circuit has opened the door to increased liability for banks when hackers make fraudulent withdrawals. In Patco Construction Co., Inc. v. People's United Bank, the Court held that Ocean Bank, a division of People's United Bank, failed to establish "commercially reasonable" measures to prevent six fraudulent withdrawals from an account held by a local business. This alert provides an analysis of this significant decision and its potential implications for financial institutions.

Court Shines Light on California Data-Sharing Law: Proskauer Litigators Obtain Dismissal

Kristen J. Mathews — Thu, 12 Jul 2012 14:15:57 -0500

On July 3, 2012, Orange County Superior Court Judge Nancy Wieben Stock issued a ruling dismissing a California “Shine the Light” consumer protection law case without leave to amend, making it the first “Shine the Light” case to come to a final decision in a trial court. Judge Stock dismissed the case against XO Group Inc. by filing a ruling sustaining demurrers to both of the plaintiff’s two causes of action in the initial Complaint without leave to amend. The ruling holds that, based on the facts that the plaintiff admitted in her Complaint and that her attorney confirmed at oral argument, there is no possibility of showing that XO Group violated the Shine the Light law.

]]>California’s Shine the Light law (“STL”) went into effect on January 1, 2005. STL is a part of the California Civil Code, codified at sections 1798.83-84. STL does not prohibit businesses from sharing consumer information with other businesses. According to the California Office of Privacy Protection (“OPP”), STL “lets consumers learn how their personal information is shared by companies for marketing purposes and encourages businesses to let their customers opt-out of such information sharing.” (http://www.privacy.ca.gov/privacy_laws/index.shtml)

STL has not been tested before this year, when one law firm filed several similar cases based on STL, each with a derivative Unfair Competition Law ("UCL") claim based on the STL claim. The cases were filed as purported class actions, and most were filed in or removed to federal court. The stakes are high: if there is a violation, STL provides for damages, as well as discretionary civil penalties which could be as much as $3,000 per violation for a willful, intentional, or reckless violation, or $500 otherwise.

STL requires that companies that share California consumers’ information for third party marketing purposes either give the consumers an ability to request and receive a list of the third parties with whom the company has shared their information, or, in the alternative, commit to sharing information in this way only on either an opt-in or opt-out basis. If a company chooses the first option, the company must designate contact information for customers to use to make such requests. The company can choose from three ways to provide customers with that contact information. The business can: (i) instruct personnel to provide the contact information upon request, (ii) put certain information in its Web site privacy policy, or (iii) have the contact information available in certain places of business in California.

The Complaint focused on an alleged failure by XO Group to satisfy option (ii), i.e., to include the required information in its Web site privacy policy. It alleged that the other two options (instructing personnel and having information available at places of business) are not available to XO Group, as an Internet-based business. The Complaint also alleged that XO Group did not adequately instruct its employees to provide contact information for making information requests. The Complaint did not address a business’s option of complying with STL by offering consumers an opt-in or opt-out right for information sharing.

Judge Stock sustained XO Group’s demurrers on several grounds:

A statute that is designed to provide useful information to a customer, upon request, cannot be violated if there is no request made. The Complaint alleged that the plaintiff subscribed to services with XO Group and had no further contact.
A business may comply with Civil Code § 1798.83(a) by giving customers an option to opt-out of information sharing in its privacy policy under Civil Code § 1798.83(c)(2). The Complaint did not and could not state that XO Group had failed to comply with Section 1798.83(c)(2).
The failure to allege a violation of the STL also meant that plaintiff had failed to allege she was injured by reason of a violation and lacked standing to sue under the STL.
Civil Code § 1798.83(b)(1) gives covered businesses three alternative ways to comply with the STL’s customer education requirement: internal instruction to personnel under Section 1798.83(b)(1)(A), privacy policy posting under Section 1798.83(b)(1)(B), and making information available at places of business under Section 1798.83(b)(1)(C). The Complaint focused on alleged deficiencies in XO Group’s website privacy policy without addressing the STL’s allowance for alternative means of customer education.
Plaintiff did not have standing to pursue the UCL cause of action because she had not lost money or property as a result of an alleged unlawful act or practice.

This first trial court final decision in Regueiro v. XO Group, Inc. comes on the heels of the first STL ruling on a motion to dismiss, which federal District Court Judge Dale Fischer granted in a June 14, 2012 order. (Boorstein v. Men’s Journal LLC, 2012 WL 2152815 (C.D. Cal. June 14, 2012).) Judge Fischer dismissed the Complaint with leave to amend, and an amended complaint was filed on July 6, 2012. Judge Fischer’s decision, like Judge Stock’s, held that offering an opt-in/out option and providing disclosures are independent ways of complying with STL. Judge Fischer then went on to hold that each of the plaintiff’s three theories of injury fail under STL. First, diminution in value of personal information due to its sale is not recognized as legal “injury.” Even if it were, STL does not prohibit the sale of customer information (it merely gives consumers the right to find out about it), so any diminution in value of that information is not the “result of” a violation of STL, and therefore cannot convey standing. Second, a violation of STL is not, in itself, injury—there must be independent harm resulting from the violation. Third, there was no implied promise in the magazine subscription that Men’s Journal would comply with all laws such that a violation of STL, without actual harm, qualifies as an injury because it breaks that promise. Judge Fischer also held that the Unfair Competition Law claim failed, both as a derivative of the failed STL claim and independently because there was no injury to support it.

Proskauer will continue to monitor STL litigation and post updates here.

We thank Mira Serrill-Robins, an associate in our litigation department who assisted in our defense of these claims, for preparing this blog post.

Data Breach Case Research Paper Sheds Light

Kristen J. Mathews — Wed, 29 Feb 2012 22:57:19 -0500

In a draft research paper titled "Empirical Analysis of Data Breach Litigation", three prominent scholars have collected and analyzed a sample of over 230 federal data breach lawsuits in order to deduce just what makes them tick.

Romanosky, Hoffman and Acquisti examined, for example, what factual and legal characteristics made a company more likely to be sued for a breach of personal data, and what made a data breach lawsuit more likely to settle.

As an interesting example, they found that the odds of a company being sued over a data breach are six times lower when the company offered free credit monitoring following the breach. They also examined the probability of lawsuit and settlement as a function of the causes of the breach and the types of data lost.

The researchers provided some very interesting summary data. For example, by coding data within the federal complaints, they found 87 unique causes of action brought by plaintiffs' attorneys. They also provided information on settlement amounts, attorney's fees awards and cy pres awards.

Any lawyer who handles data breach cases would likely find this article to provide valuable insights.

Finally, A Home for Mobile App Privacy Policies - But One With A Financial "Catch"

Kristen J. Mathews — Mon, 27 Feb 2012 17:47:07 -0500

On February 22, 2012, California’s Attorney General, Kamala D. Harris, entered into an agreement with several leading providers of mobile devices and app stores to increase consumer privacy protection for mobile applications or “apps.” Under the agreement’s terms, these companies have agreed to redesign their app stores to provide a location for app developers to display their privacy policies.

California has long taken privacy – including technology-related privacy – seriously. Article 1, Section 1 of the California Constitution recognizes privacy as an inalienable right. California’s Online Privacy Protection Act of 2003 (“CalOPPA”) provides substantial consumer privacy protection by requiring any “operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California” to post a conspicuous privacy policy detailing, for example, the categories of personally identifiable information collected from users and the categories of third-parties with whom the information may be shared.

]]>The two-page Joint Statement of Principles, adopted by Harris and the six leading mobile application platform companies – Apple, Amazon.com, Google, Hewlett-Packard, Microsoft, and Research In Motion (the “Companies”) – reflects an agreement to bring the mobile application industry into compliance with the terms of CalOPPA. Specifically, the Joint Statement sets forth the following principles for apps:

According to the California AG’s interpretation of CalOPPA, applications that collect personal user data must conspicuously post a privacy policy detailing, clearly and completely, how the application collects, uses, and shares personal data.

The Companies agree to include optional data fields for an application’s privacy policy – via hyperlink or text – in the submission process for new or updated apps so that users will be able to access the provided policy information from the application store.

Users will have the ability to report to the Companies applications that do not comply with applicable terms of service and/or laws, and the Companies will implement a process for responding to such reports.

These principles will apply globally to any mobile application that may impact a California consumer.

App developers that do not comply with CalOPPA by posting a privacy policy for their app can be held accountable under California law.

This blog post was written by Michelle Arnold, associate in our litigation department.

The White House Proposes New Consumer Privacy Bill of Rights

Kristen J. Mathews — Fri, 24 Feb 2012 09:52:10 -0500

On February 23, 2012, the White House issued a proposal to adopt a Consumer Privacy Bill of Rights. The new proposal is part of the Administration’s efforts to adopt a comprehensive consumer data privacy framework that applies to all personal data, defined as any data that can be linked to a specific individual or device. The Administration’s efforts are also intended to bring about conformity with the privacy principles that have become the norm in other countries such as in Europe, thereby increasing interoperability between the U.S. privacy framework and that which has arisen in the rest of the world.

For now, the Consumer Privacy Bill of Rights is still a blueprint and does not include enforceable rules, but the Administration is pursuing implementation through legislation and a multistakeholder rule-making process.

]]>

The Consumer Privacy Bill of Rights adopts seven general principles as a guide for future rule-making and legislation:

1) Individual Control. Companies should present consumers with clear choices about personal data collection, use, and disclosure, including the ability to withdraw or to limit consent. The Administration has already begun action on this principle. Internet and online advertising companies including Google, Yahoo!, Microsoft, and AOL, in response to calls from the Administration and the Federal Trade Commission (“FTC”), have committed to use Do Not Track technology from the World Wide Web Consortium in most major web browsers.

2) Transparency. Companies should clearly disclose to consumers the scope of information collected, how it is used, when it is deleted, and whether it is shared with third parties.

3) Context. The use and disclosure of personal data should be commensurate with the relationship between company and consumer, as well as with the age and sophistication of the consumer.

4) Security. Companies should maintain safeguards to control loss, unauthorized access, and improper disclosure of consumer data.

5) Access and Accuracy. Companies should provide consumers with reasonable access to their personal data as well as the ability to correct data, request its deletion, or limit its use.

6) Focused Collection. Related to the context principle, companies should collect only as much personal data as needed to further contextually appropriate purposes. Once data is no longer needed, it should be deleted or de-identified.

7) Accountability. Companies should conduct full audits where appropriate, and companies that disclose personal data to third parties should ensure the recipients are under enforceable obligations to adhere to the Consumer Privacy Bill of Rights.

In the coming months, the Administration envisions a multistakeholder rule-making process convened by the Department of Commerce’s National Telecommunications and Information Administration. The process would involve companies, industry groups, privacy advocates, consumer groups, academics, international partners, State Attorneys General, and other relevant groups in drafting a set of rules based on the Consumer Privacy Bill of Rights. Companies would then voluntarily commit to follow the rules, and those commitments would become enforceable by the FTC.

The Administration is also encouraging Congress to pass legislation implementing the Consumer Privacy Bill of Rights and granting the FTC and State Attorneys General authority to directly enforce the Consumer Privacy Bill of Rights.

As these implementation efforts continue, watch this blog for further developments.

This blog post was written by David Munkittrick, an associate in our Litigation Department.

Do I really have to obtain consent from all my customers to make a change to my privacy policy?

Kristen J. Mathews — Fri, 09 Dec 2011 00:41:13 -0500

"Do I really have to obtain consent from all my customers to make a change to my privacy policy? No one else seems to be following that rule."

We get this question all the time. It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent of their users. (In other words, they add a new offering to their service that expands their use or sharing of consumer data, and they default their users into the new offering.) Sometimes they back off temporarily when faced with media backlash or Congressional or regulatory scrutiny, but the pattern nonetheless persists in the long term. Sometimes we scratch our heads in wonder, since the FTC has taken the position in countless actions for over a decade that if you make a material, adverse, retroactive change to your privacy policy, you need to obtain consent from consumers to apply your new policy to the data you collected under your old policy.

]]>Last week, the FTC gave us their latest message. This time, it took the form of a settlement with Facebook in an action alleging that Facebook engaged in unfair and deceptive trade practices by, among other things, altering or enhancing their service in a manner that expanded their sharing of user data, without obtaining the consent of their users. (See our recent blog post detailing the settlement in full.)

In Facebook’s defense, they actually did, at least in some instances, take steps to obtain the consent of their users by requiring users to click through a multipage Privacy Wizard that walked users through the revised privacy settings. However, the FTC alleged that the Privacy Wizard process was in itself deceptive, since the explanatory wording used on the Wizard spun the changes as affording more control on the part of users, when in fact, according to the FTC, the changes reduced user control over how their data would be shared with third parties and overrode users’ existing privacy settings.

Under the terms of Facebook’s settlement with the FTC, Facebook denied all the FTC’s legal and factual allegations (with the exception of those regarding jurisdiction), so an outsider’s only way of knowing the facts at hand is through his experience as an observant user of Facebook over the course of years, or, alternatively, trust in the accuracy of media coverage of Facebook’s privacy changes over the last several years.

It is worth noting that Facebook is not required to pay a fine under the settlement. However, as part of the settlement, Facebook is required to suffer the scrutiny of the FTC for the next twenty years. For example, as is characteristic of the FTC’s privacy settlements, Facebook must retain an independent third party to assess and report on its privacy practices biennially. It also must implement a privacy program that entails taking a “privacy-by-design” approach to its product development going forward, and it must retain for the FTC’s review: (i) all widely disseminated materials relating to its privacy practices and changes thereto, including any backup materials, for the next three years; (ii) all consumer complaints for six months after receipt; (iii) all documents prepared by or on behalf of Facebook that contradict, qualify or call into question its compliance with the settlement terms for five years from receipt thereof; (iv) documentation of changes that Facebook makes to its privacy policies along with documentation of users’ consent and their settings prior to consent for three years from the date of such documents’ preparation or dissemination; and (v) all backup materials of its biennial privacy assessments for three years after each such assessment.

What is the takeaway for other businesses? One, the FTC wants businesses to disclose important changes in their privacy practices (such as how they share data with third parties) conspicuously, and not merely in their privacy policies and other legal boilerplate. Two, the FTC wants businesses to obtain affirmative consent from their customers when they make material adverse retroactive changes to their privacy policies. (They can obtain user consent the next time the user interacts with the business, such as when the user returns to the business’s Web site.) Three, the FTC wants businesses to be upfront and straight with their customers when they solicit their consent to new uses they want to make of user data – not to “spin” changes that expand the business’s usage rights as if they are enhancing user privacy.

It is worth noting that the statute that the FTC invokes to set these standards (the FTC Act) does not contain any of these requirements. It simply prohibits unfair and deceptive trade practices. Yet, each time we see an example of the FTC’s enforcement of this law in the privacy space, we learn something about the FTC’s interpretation of the law. (It is not often challenged, although it could be by a defendant so inclined.) And anything new and interesting we learn from these settlements is what we at Proskauer impart to you.

Breach Notification Obligations In All 50 States?

Kristen J. Mathews — Tue, 16 Aug 2011 10:42:36 -0500

Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them? How could that be, you ask? Because Texas said so. (Does that surprise you?)

Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Texas's amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota).

]]>The law covers what it defines as "sensitive personal information," which includes (A) an individual's name in combination with his (i) Social Security number, (ii) state driver's license number or government issued ID number, or (iii) financial account number along with credentials that would allow access to his financial account, and (B) personally identifying information relating to an individual's physical or mental health or condition, heath care provided to such individual, or payment therefor.

The law only applies to persons who "conduct business in" Texas, although the law does not elaborate on what that might include.

The amended law also increases the penalties for a failure to notify consumers of a data breach from a maximum of $50,000 (under the old law) to $100 per individual per day of failed or delayed notification, not to exceed $250,000 for a single breach.

What does this mean for entities that have suffered a data breach? Many companies that suffer nationwide data breaches already elect to notify individuals who reside in states that do not have breach notification laws, simply to avoid negative public relations scrutiny for not doing so. However, for companies that conduct business in Texas, there could now be a price tag of up to $250,000 for not notifying non-Texas residents whose sensitive personal information was subject to a data breach.

Texas's new law will become effective September 1, 2012.

Texas's H.B. 300 also amends Texas' Health and Safety Code to impose privacy and data security requirements that go beyond HIPAA (the Health Information Portability and Accountability Act), and it applies to entities that are neither a "covered entity" nor a "business associate" as defined by HIPAA. Instead, Texas's definition of "covered entity" would cover any entity that handles PHI (protected health information), with some exceptions. We will blog about these amendments separately.

5 Strategies For Avoiding Wiki Situations

Kristen J. Mathews — Wed, 29 Dec 2010 20:49:29 -0500

Want to know how you can protect your company from Wikileaks debacles the likes of which have been faced by the U.S. government as well as private companies. Check out this recent article by Proskauer's Dan Winslow and Kristen Mathews.

What Do You Really Need to Know About the FTC's Recent Report on Privacy?

Kristen J. Mathews — Wed, 08 Dec 2010 00:03:00 -0500

Yesterday, we blogged about the FTC’s report released last week, “Protecting Consumer Privacy in an Era of Rapid Change.” But if the FTC’s recommendations become requirements, how would they change what the typical company is doing today?

]]>

· They apply both online and offline. Many companies have privacy policies that apply to the information they collect online, but make no promises to consumers about the information they collect offline, for example in stores, at events, on the phone, via loyalty programs, through registration cards, and the like. The FTC’s report recommends that companies have privacy policies that apply offline as well.

· They apply to what many companies think of as non-personally identifiable information, such as static IP addresses and other information that identifies a particular computer or device, but not necessarily a particular individual. This means that many companies’ privacy policies will need to be revised.

· They propose that consumers be given a choice, at the time and place that they provide their information to a company, about the use of their data by the company in unexpected ways (i.e., ways other than “commonly accepted practices”). For example, if the company will share the consumer’s data with a third party for the third party’s marketing purposes, the consumer should be given a choice about this at the time that they provide the information to the company, and on the Web page on which they provide the data to the company. (Yes, we mean no more burying consumer choice notices in a privacy policy.) Other examples of when consumer choice would be required are when data will be sold to a data broker or other third party that is unknown to the customer, or shared with others for behavioral marketing purposes.

· Consumer choices could no longer be obtained using the good old pre-checked consent box.

· When data collected in a brick-and-mortar store will be used by the company in one of these “non-accepted” ways, the FTC proposes that the sales associate communicate the consumer’s choices to the consumer orally.

· When a consumer opts out of a certain use of his or her data, that preference would be durable, and not subject to repeated additional requests from the company. (The FTC did not say this, but we presume this would mean, for example, that the FTC prefers an opt-out method that is not dependent on cookies that could inadvertently be deleted by the consumer, and that opt-out preferences not expire.)

· FTC proposes that data sharing with an affiliate is to be treated like data sharing with an unaffiliated third party, unless, possibly, the affiliate relationship is clear to consumers through common branding or similar means.

· The FTC proposes that companies provide consumers with reasonable access to the data that they have about consumers. (Until now, U.S. law has not required this.)

· The FTC proposes that companies obtain affirmative express consent from consumers before collecting, using or sharing sensitive information about consumers (such as financial or medical information, or precise geolocation data), or information about “sensitive” consumers such as children and possibly teens.

· The FTC’s recommendations cover companies that do not have direct relationships with consumers, such as data aggregators, and propose that these companies allow consumers to access and correct the information they have about consumers.

· The FTC proposes that companies take steps to ensure the accuracy of the data that they have about consumers, especially if the data is being used to make decisions about consumers. A good example of this is a company that provides identity or age verification services to other companies.

· The FTC proposes that companies only collect the data they need for their specific business purposes, and that they dispose of it (securely) when it no longer serves that purpose. (In other words, don’t collect it or retain it “just in case it comes in handy for something later.”)

· The FTC endorses a universal consumer “Do Not Track” option, whereby a consumer can set his or her web browser to instruct Web sites not to engage in behavioral marketing on that consumer. (More on this when/if the required technology becomes available.)

· The FTC proposes that companies assign personnel to oversee privacy issues.

· The FTC proposes that companies have comprehensive privacy programs, and review them periodically to address changes in data risks and other circumstances. (Did you just finish your comprehensive written data security program? Time to start on your comprehensive written privacy program.)

· The FTC proposes “privacy by design.” In other words, companies should consider privacy issues relating to new products, services and business models in the early stages of their development. (As an example, no more sending new products to legal review the last minute before launch.)

· The FTC proposes shorter and more comprehensible privacy policies. The FTC might provide a model form privacy notice for this purpose. If you still want to include all the details in a shorter policy, the FTC suggests the “layered” policy approach, in which each policy layer links to more detail in the next layer.

· You should have been honoring this for years, but, once again, companies cannot make material adverse retroactive changes to their privacy policies without robust notice to, and consent from, consumers. So when you are shortening your privacy policy, beware of inadvertent substantive changes that provide for lesser privacy protections than before.

Proskauer on Privacy: Boston Edition

Kristen J. Mathews — Thu, 02 Dec 2010 15:08:48 -0500

Following the success of our Annual Proskauer on Privacy Conference in New York, we are taking the program on the road and invite you to attend our first Proskauer on Privacy: Boston Edition. Presented by the firm's Privacy and Data Security Group, this conference will focus on the latest developments in this area of law.

Our keynote speaker is Barbara Anthony, the Undersecretary of the Office of Consumer Affairs and Business Regulation of Massachusetts.

Tuesday, December 14, 2010
8:00 a.m. - 8:30 a.m. Breakfast and Registration
8:30 a.m. - 11:45 a.m. Program

One International Place
Boston, MA 02110-2600

Click here to register.

Mathews Explains Social Media Privacy in Exclusive Bloomberg Video Interview

Kristen J. Mathews — Tue, 30 Nov 2010 21:44:35 -0500

Still don't really understand all the media attention on Facebook's, Twitter's and Google's user privacy woes? In a recent video interview by Bloomberg's Spencer Mazyck, Proskauer's Kristen Mathews explained the issues in a way that anyone can understand. In this video interview, Mathews discussed the background of the recent media scrutiny over Facebook's and Myspace's sharing of user data with application vendors, ad networks and data aggregators. She also discussed the legal challenges to Google's use of gmail information to launch its Buzz social network, and the Federal Trade Commission's settlement with Twitter pertaining to security vulnerabilities in Twitter accounts. She also discussed industry standards and pending legislation in this area.

Consent to Cookies? Who Wouldn't?

Kristen J. Mathews — Fri, 04 Dec 2009 11:53:31 -0500

If the European Commission has anything to say about it, starting about 18 months from now companies will have to start obtaining consent from Web site visitors to place cookies on their computers.

Last week, the European Parliament approved amendments to Europe’s e-Privacy Directive (see page 76, item 5) requiring, among other things, that operators of Web sites obtain a user’s consent before placing a cookie on the user’s computer. “Cookies” are digital files that are routinely placed on a user’s computer when they visit a Web site. These files are used for many purposes, including to save a user’s name and password so they can be pre-populated in a Web site’s log-in page; to enable Web sites to engage in behavioral marketing by displaying ads that are keyed to a user’s browsing history; to enable Web sites to perform analyses of the demographics of the site’s visitors and what areas of the site are most popular; and to save the contents of a user’s online shopping cart.

]]>Under the amended e-Privacy Directive, Web sites may only place cookies if the user has consented, after having been provided with clear and comprehensive information about the purpose of the cookie. The amended directive provides an exception to the consent requirement if the cookie is “strictly necessary” in order for the Web site to provide a service specifically requested by the user. While this exception is mildly helpful, it would not apply to most uses of cookies.

A recital (see recital 66) that prefaces the directive suggests that “where it is technically possible and effective,” consent may be expressed by using the appropriate settings of a Web browser or other application. However, it is unclear whether user consent can be obtained this way when the default Web browser setting is to accept cookies, as is the case with most Web browser software on the market.

Furthermore, due to the European law’s definition of “personal information,” the EU’s new rule even applies to cookies that do not collect a user’s name or contact information, on the grounds that anonymous cookies still enable a Web site to recognize a user who has been to the site before.

While this amendment leaves European companies in a state of alarm, it also leaves non-EU companies in a state of quandary. The EU (specifically, the Article 29 Working Party) consistently has taken the position that its personal data directive (an older sibling of the e-Privacy Directive) applies to wholly non-EU Web sites that place cookies on computers which are located in Europe. If the e-Privacy Directive also applies to all Web sites that drop cookies, the global impact of these amendments essentially requires every Web site to change its practices in about 18 months, which is the deadline by which European Member States must implement the e-Privacy Directive’s amendments.

Massachusetts Finally Finalizes Data Security Regulations - We Think

Kristen J. Mathews — Mon, 02 Nov 2009 18:16:12 -0500

In response to feedback received at a public hearing held in September, the Massachusetts Office of Consumer Affairs and Business Regulation has released what it purports to be final regulations under Massachusetts' "Act Relative to Security Freezes and Notification of Data Breaches," which was enacted in Jul 2007.

Regulation 201 CMR 17.00 ("Standards For The Protection of Personal Information of Residents of the Commonweath") was previoulsly amended in August in response to industry backlash.

This week's final amendments make very few changes to the regulations that were released in August:

The regulations apply to persons who "store" personal information in addition to those who receive, maintain, process, or otherwise have access to personal information
Service Providers include persons who "store" personal information through their provision of services directly to a person that is subject to the regulations (in addition to those who receive, maintain, process, or otherwise are permitted access to personal information)
The express carve-out of the U.S. Postal Service from the definition of "Service Providers" has been removed
The amendments clarify that Service Provider agreements that are entered into before March 1, 2010 do not have to be amended to comply with the regulations until March 1, 2012.

The March 1, 2010 effective date of the regulations has not changed.

Who Cares If A List of Email Addresses Gets Stolen?

Kristen J. Mathews — Fri, 30 Oct 2009 19:34:17 -0500

A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.” Should mere contact information be afforded greater protection?

One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone numbers) had been compromised. A class action law suit quickly followed, and the third settlement attempt was rejected just recently by the court on the grounds that, in the judge’s view, it provided an inadequate remedy for the affected consumers.

]]>The rejected settlement would have required Ameritrade to:

Post notices on its Web site warning customers about “stock touting spam”
Retain independent experts to conduct biannual penetration tests on its systems
Seed its email address databases with monitored email addresses for the purpose of detecting data compromises
Offer to pay for one year’s worth of a spam or virus filtering service for each of the 6 million customers whose email addresses were compromised
Retain an analytics specialist to perform analyses of whether the compromised data has been used to commit identity theft
If identity theft is detected, offer class members identity theft remediation services
Donate $55,000 to two anti spam projects
Pay plaintiffs’ counsel $1.9M in attorney’s fees

Since these settlement terms did not satisfy the judge, the parties will reconvene at a hearing on December 10, 2009.

The Ameritrade case has served as a reminder that companies should not ignore the importance of keeping contact information secure while focusing primarily on more sensitive information such as Social Security Numbers and financial account numbers. However, applicable laws that require companies to protect the security of individuals’ information generally do not apply to mere contact information. For that reason, it is still appropriate to classify contact information as “confidential” as long as your policies provide for reasonable protections for such information. As an example, since customer databases compile all customer contact information into one place, and are an attractive target for hackers, such databases should be afforded greater protection than individual documents that contain just one customer’s name and contact information. Similarly, when disposing of paper files containing customer contact information in mass, it would be a best practice, although not required by U.S. law, to shred such documents upon disposal.

DC Court Sides with the ABA - No Red Flag Rules for Lawyers

Kristen J. Mathews — Fri, 30 Oct 2009 10:47:52 -0500

The U.S. District Court for the District of Columbia has ruled that the Federal Trade Commission's Red Flags Rules cannot be enforced against lawyers, saying that the FTC's interpretation of the Fair and Accurate Credit Transactions Act overreaches, and its application to lawyers is unreasonable. Judge Reggie Walton said he had trouble accepting the FTC’s definition of a creditor. Judge Walton ruled from the bench with a written decision to follow.

The American Bar Association, represented by a Proskauer team led by partner Steven Krane, argued that the rules would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers are not covered by the rule. The FTC contended that lawyers should be covered, because many of their billing practices, such as charging clients on a monthly basis rather than up front, made them “creditors.”

The American Bar Association's complaint, prepared on a pro bono basis by Proskauer Rose, said that the application of the Rule to practicing lawyers is “arbitrary, capricious and contrary to law,” and that the FTC has failed “to articulate, among other things: a rational connection between the practice of law and identity theft; an explanation of how the manner in which lawyers bill their clients can be considered an extension of credit under the FACTA; or any legally supportable basis for application of the Red Flags Rule to lawyers engaged in the practice of law.”

The FTC has not yet indicated whether it will appeal Judge Walton's ruling.

Here is a link to the court’s order.

Here is a link to the ABA’s press release.

Since when does a legal entity have "privacy" rights?

Kristen J. Mathews — Wed, 30 Sep 2009 08:47:43 -0500

Since the Third Circuit said so, in its September 22, 2009 decision in AT&T v. Federal Communications Commission (No. 084024).

Most privacy practitioners would not consider a legal entity to have privacy rights. Rather, a legal entity may have trade secrets or contractual confidentiality protections. However, in its novel holding, the Third Circuit found that a corporation (AT&T) was protected by an exemption in the Freedom of Information Act (FOIA) that applies to “unwarranted invasions of personal privacy.” Specifically, FOIA exempts “records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information … could reasonably be expected to constitute an unwarranted invasion of personal privacy…”(emphasis added). This exemption, combined with FOIA’s definition of “person” to include legal entities, enabled AT&T to successfully argue that a corporation has a right to privacy. (After all, the court said, “it would be very odd indeed for an adjectival form of a defined term not to refer back to that defined term.”) As a result, AT&T’s competitors have not been able to obtain information about an FCC investigation of AT&T regarding AT&T’s alleged overcharging of some of its customers.

Whether this ruling will be followed in other FOIA cases, or used to expand the concept of privacy rights under other statutes, remains to be seen. For now, when submitting information to regulators in connection with investigations, companies should consider submitting such information as confidential, since doing so could help the company to later challenge attempts by competitors or other third parties to obtain such information from the regulator under FOIA.

]]>

HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information

Kristen J. Mathews — Wed, 23 Sep 2009 08:11:58 -0500

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning their unsecured protected health information (“PHI”). With its rule, HHS also provided guidance on securing PHI through “encryption” and “destruction” measures. While compliance with these security measures is not required, conformance to the guidance offers a relative safe harbor for covered entities and vendors in the event of a security breach. See September 1, 2009 client alert from Proskauer's Health Care Department for additional information.

Update: Maine's Marketing to Minors Law Found Likely to Be Unconstitutional

Kristen J. Mathews — Wed, 09 Sep 2009 07:50:35 -0500

The first lawsuit challenging Maine's Act to Prevent Predatory Marketing Practices Against Minors has concluded. The District of Maine issued a Stipulated Order of Dismissal on September 9, stating that there is a likelihood that the statute is "overbroad and violates the First Amendment", and putting third parties "on notice" that a private suit "could suffer from the same constitutional infirmities." In the meantime, the lawsuit was dismissed without prejudice, in light of the State Defendant's representation that Maine will not enforce the statute and that the Legislature will reconsider it when they reconvene in January 2010.

Massachusetts' Revised Data Security Regulations Extend Deadline (Again) and Soften Some Requirements

Kristen J. Mathews — Mon, 17 Aug 2009 18:17:09 -0500

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts' data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010. (Previous to an earlier extension, the compliance deadline was May 1, 2009.)

The revised regulations emphasize their “risk-based” approach, enabling persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information, and need. These changes were primarily intended to ease the burden of the regulations on small businesses that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program. That said, the changes apply to all business, not just small businesses.

]]>This shift indicates that Undersecretary Anthony, only a few months into her new position, has listened to widespread criticism of the regulations, particularly from small business leaders, and understands their potential impact.

Importantly, the revised regulations add a “to the extent technically feasible” qualifier to all of the regulations’ computer system security requirements, meaning that encryption of personal information in transit and stored on portable devices is only required to the extent “technically feasible.” Although “technically feasible” is not defined in the regulations themselves, a definition is provided in the Frequently Asked Questions (FAQ) that accompanied the regulations. In addition, the regulations are technology neutral; in particular, “encryption” now includes any transformation of data into a form in which meaning cannot be assigned “without the use of a confidential process or key.” (Some will surely argue that this new definition of “encryption” does not necessarily require encryption at all; however, the FAQ suggests that the removal of references to specific technology from the definition was intended to allow for future encryption technologies, not necessarily earlier or less secure technologies.)

Another important change regards the required oversight of service providers. The revised regulations still require that service providers be bound to comply with the regulations’ standards, but only future service provider agreements must include such a requirement.

Additionally, the new regulations make other changes – such as deleting some of the prior regulations’ more specific requirements.

As noted by Undersecretary Anthony, "these updated regulations feature a fair balance between consumer protections and business realities."

A press release by The Associated Industries of Massachusetts (AIM) specifically expresses AIM’s appreciation for the cooperation of Secretary Barbara Anthony and the assistance of Attorney General Martha Coakley, Representative Michael Rodrigues and Senator Michaela Morrissey over the course of the last several months to develop revised regulations that answer the concerns of the business community.

Public hearings on the revised regulations will be held on September 22, 2009.

This post was contributed to by Amy Crafts, a senior Associate in Proskauer's Boston office and a member of Proskauer's Privacy and Data Security Practice Group.

Maine Makes Marketing Minors "Predatory"

Kristen J. Mathews — Fri, 07 Aug 2009 07:36:10 -0500

In mid-September, Maine’s “Act to Prevent Predatory Marketing Practices against Minors” is scheduled to take effect. Due to the lack of a scienter element in several of the requirements of this new law, this Act could have far-reaching consequences for all businesses that engage in direct marketing or that sell or transfer personal information to third parties, even if the business does not have knowledge that the information regards a minor.

]]>The Act applies to two types of information: (1) health-related information, which includes information related to health or physical condition, nutrition, medications, mental health, medical insurance coverage and similar data; and (2) personal information, which includes a last name with first name or first initial, home or other physical address, social security number, driver’s license or state identification card number, and information about a minor collected in combination with other personal information. An email address or other online identifier is not expressly included, but it would be considered personal information if combined with other personal information of any of the other types included in this definition.

Since Maine’s new law is intended to protect the privacy of minors, it can be compared to the federal Children’s Online Privacy Protection Act (“COPPA”). However, the Maine law is broader than COPPA in many significant ways. Among the other differences discussed below, under Maine law, a minor is someone under 18. In contrast, COPPA only protects “children” who are under 13 years old.

Maine’s new law can also be compared to some other state laws, As an example, it can be compared to a law that has been in existence in California since 2004. California’s Civ Code sec. 1798.91 also regulates the collection, use and disclosure of health related information for marketing purposes without notice and consent; however, California’s law is not limited in application to minors.

Maine’s new Act contains three separate prohibitions.

First, the Act makes it unlawful to knowingly collect or receive health-related or personal information for “marketing purposes” from a minor without prior “verifiable parental consent.” The way the Act is written, it is unclear whether the requirement for “knowing” collection or receipt applies to the type of information or also to the fact that the information is collected from a minor. The Act defines “marketing purposes” as “the purposes of marketing or advertising products, goods or services to individuals.” This particular provision – unlike the provisions discussed below – appears to be limited to information collected “from” a minor. “Verifiable parental consent” is defined to mean reasonable efforts to give the parent notice of the collection, use and disclosure practices and to obtain parental authorization for such collection, use or disclosure “before that information is collected from that minor.” Unlike COPPA, Maine’s Act is not limited to online collection. Nor does the Act contain any exceptions permitting some collection of “personal information” from the minor, such as for the purpose of obtaining parental consent for additional collection.

Second, the Act makes it unlawful to sell, offer for sale or otherwise transfer health-related or personal information about a minor if (A) it was collected in violation of the prohibition above; (B) it “individually identifies the minor”; or (B) it will be used for “predatory marketing” as described below. This provision does not have a scienter requirement (although a “knowledge element is built into Subsection A). Subsection B – which is not limited to uses “for marketing purposes” – apparently requires that any transfer of information “about a minor” be done on an aggregate basis.

Third, the Act prohibits “predatory marketing,” which is defined as using health-related or personal information regarding a minor “for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product.” Again, there is no scienter requirement, nor any exception permitting a parent to sign up on behalf of a child, or to otherwise consent to such marketing.

The Act provides for enforcement by the Maine Attorney General as an unfair trade practice, with penalties of $10,000-$20,000 for the first violation and at least $20,000 for subsequent violations. The Act also provides for a private right of action in Maine state court, including recovery for the greater of actual damages or $250 per violation (with the potential for trebling for willful or knowing violation), plus attorney’s fees.

The potentially broad reach of this statute (particularly due to the lack of a scienter element in several of its provisions) makes it likely to be subject to challenge. In the meantime, businesses should consider their approach to achieving compliance. Given the breath of the Act, and the fact that some of its requirements apply regardless of a company’s knowledge of an individual’s age, complying with Maine’s new law will surely prove to be a challenge for essentially every enterprise.