Posted on July 7, 2008 by Joseph K. Wright

New Connecticut Law Threatens $500,000 Penalty for Privacy Violations

On June 10, Connecticut Governor M. Jodi Rell signed into law a bill to safeguard Social Security numbers and other personal information. The law imposes a civil penalty of up to $500,000 on violators. The new law takes effect October 1, 2008. 

The new law penalizes any individual or business that intentionally fails to protect personal information.  “Personal information” includes Social Security numbers, driver’s license numbers, and account numbers for insurance policies, credit card numbers and bank accounts. Individuals and businesses are subject to civil penalties of $500 per violation, up to $500,000 for any single event. The law imposes the same penalty for intentional failure to “destroy, erase or make unreadable” personal information during disposal of records. It does not, however, impose fines on negligent or unintentional violators, nor does it apply to public entities.        

The law also requires businesses that collect Social Security numbers to create a privacy protection policy. The policy must protect the confidentiality of Social Security numbers, prohibit unlawful disclosure and limit access to them.

Unlike its counterpart in California, the Connecticut law only applies to willful violations. California also protects more categories of information. However, the Connecticut law creates a duty to safeguard personal information, whereas the California laws require only “reasonable steps” to protect or destroy personal information. 

This law is part of a broader effort in Connecticut to protect Social Security numbers; in the last two months, Connecticut has enacted three separate bills to protect Social Security numbers. The other two bills affect the use of Social Security numbers on birth certificates.

Whereas California Civil Code § 1798.84 authorizes a private right of action for California consumers injured by violations of its data security law, the new Connecticut law does not appear to create a private right of action. Instead, civil penalties are paid to the state, and the Department of Consumer Protection and other business licensing agencies share enforcement duties. 

Leslie Buoncristiani, a summer associate in Proskauer’s Los Angeles office, contributed to this post.
Tags: , , , , , ,
Posted on April 22, 2008 by S. Montaye Sigmon

European Commission Data Protection Working Party Issues Opinion on Search Engine Data Protection

The European Commission Article 29 Data Protection Working Party (“Working Party”) recently released its opinion on data protection issues related to search engines. The opinion specifically addresses the applicability of the Data Protection Directive (95/46/EC) and the Data Retention Directive (2006/24/EC) to the processing of personal data by search engines.

Definition of Personal Data

According to an earlier opinion issued by the Working Party, personal data includes an individual’s Internet search history if the individual to whom it relates is identifiable. In this most recent opinion, the Working Party found that, although IP addresses are not usually directly identifiable by search engines, the necessary data usually is available to identify the user(s) of the IP address. Therefore, unless a search engine operator can ensure “with absolute certainty” that data corresponding to users cannot be identified, it must treat all IP information as personal data.  

Scope

Article 4 of the Data Protection Directive provides that each Member State will apply its national data protection law to data processing in certain circumstances. The Working Party concluded that the Data Protection Directive applies even where a search engine company’s headquarters is outside the European Economic Area. Where the search engine service provider is not based in one of the Member States, the Data Protection Directive applies where either: (a) the search engine provider has an establishment in a Member State; or (b) the search engine makes use of equipment in the territory of a Member State. “[U]se of equipment” includes a user’s personal computer.

Thus, in the case of multi-national search engine providers:

  • Those that are established in a Member State are subject to the Member State’s national data protection laws in which the search engine provider is established;
  • Those that are not established in a Member State are subject to the Member States’ national data protection laws in each Member State in which the service provider makes use of equipment in the territory of that Member state for the purposes of processing personal data (e.g., the use of a cookie).

The Working Party expressly excluded from its opinion search functions on websites that were limited to searching only the website’s own domain. 

Processing of Personal Data

The Working Party Opinion found that, in general, search engines must only process personal data for legitimate purposes and the amount of data processed and/or retained must be relevant to and not excessive in respect of the purposes to be achieved by the processing. Search engine providers are “fully responsible under data protection laws for the resulting content related to the processing of personal data.” Specifics are outlined below.

Collection and Processing

The Working Party found that collection and processing of personal data must be based on at least one legitimate ground. Legitimate grounds include:

(1)   Consent of the user for the search engine provider to use specified data for a specified purpose (Data Protection Directive Art. 7(a));

(2)   Necessary for the performance of a contract (Data Protection Directive Art. 7(b)) – however, the Working Party expressly rejected any argument that users enter into a de facto contractual relationship when using services offered by a search engine provider;

(3)   Necessary for the purposes of a legitimate interest pursued by the controller (Data Protection Directive Art. 7(f)):

(a)    Service improvement – however, this is not a legitimate reason for storing data that has not been anonymized;

(b)   Systems security – however, any personal data stored for system security must be subject to a strict purpose limitation and cannot be used for any other purpose;

(c)    Fraud prevention – however, the amount of personal data stored and/or processed and the amount of time it is retained depends on whether and for how long the data is necessary for fraud detection and prevention;

(d)   Accounting – the Working Party expressed “serious doubts that personal data of search engine users are really essential for accounting purposes” and called on search engine providers to develop accounting mechanisms that are more privacy-friendly;

(e)    Personalized advertising – the Working Party expressed its “clear preference for anonymi[z]ed data”;

(f)     Law enforcement and legal requests – the Working Party recognized that search engine providers must comply with legitimate requests from law enforcement and legal orders, but noted that “compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes.”

Retention

The Working Party found as follows:

(1)   The Working Party sees no basis for a retention period of more than six (6) months in any instance and the retention period should be “no longer than necessary for the specific purposes of the processing.” Where data is retained for longer than six (6) months, a search engine provider must demonstrate that such retention “is strictly necessary for the service.”

(2)   Search engine providers must delete personal data when a legitimate purpose no longer exists; in the alternative, search engine providers may anonymize data as long as the anonymization is completely irreversible.

(3)   Search engine providers must inform users about the applicable retention policies for all types of user data they process.

Other Specific Practices

The Working Party found as follows:

(1)   Persistent cookies containing a unique user ID are personal data and should be defined to allow an improved web surfing experience and a limited cookie duration. Moreover, users must be informed about the use and effect of cookies.

(2)   Where search engine providers utilize a cache functionality, they should only retain content in a cache for the “time period necessary to address the problem of temporary inaccessibility to the website itself” – any caching period of personal data contained in indexed websites beyond this necessity of technical availability should be considered an independent republication.

(3)   Correlation of personal data across services and platforms for authenticated users can only be legitimately done based on informed consent by the user.

(4)   Search engine providers may not suggest that using their service requires a personalized account by automatically re-directing unidentified users to a sign-in form for a personalized account.

User Rights

The Working Party found that users of search engines have the right to inspect and correct, where inaccurate or unnecessary, all their personal data collected by search engine providers.
Tags: , , , , , , , , , , , , , ,
Posted on October 14, 2007 by Tanya Forsheit

Governor Schwarzenegger Says No to California A.B. 779

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, discussed here, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

As discussed in our previous posts here and here, AB 779 was proposed in the wake of the massive security breach at the TJX Companies and would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards, debit cards, or other payment devices from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. The bill also incorporated certain liability-shifting provisions that would have made such businesses liable to the owner or licensee of the information for the reimbursement of reasonable and actual costs of providing notice to consumers as required by existing law and for the reasonable and actual cost of card replacement as a result of the breach of the security of the system. It also would have mandated the inclusion of specific kinds of information about a breach in notices provided to individuals affected by the breach.

The Governor’s veto was based on concerns that AB 779 would potentially conflict with private sector data security standards such as the Payment Card Industry Data Security Standard and would increase the costs of compliance.

In his veto message, available here, the Governor stated that, while he is "committed to strong laws that safeguard every individual’s privacy and prevent identity theft, . . . this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information. This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards." The Governor also noted that the bill "fails to provide clear definition of which business or agency ‘owns’ or ‘licenses’ data, and when that business or agency relinquishes legal responsibility as the owner or licensee. This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses." The Governor encouraged "the author and the industry to work together on a more balanced legislative approach that addresses the concerns outlined above."

It remains to be seen whether Governor Schwarzenegger's veto effectively puts to an end efforts in other states to pass such legislation.
Tags: , , , , , , , , , , , , ,
Posted on March 7, 2007 by Timothy P. Tobin

ISP Data Retention Legislation Introduced; ISPs and Privacy Advocates Fear Broad Mandates

Last month, a group of eight Republican lawmakers introduced H.R. 837, the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth (SAFETY) Act 2007. The bill would give the Attorney General very broad authority to enact rules requiring Internet Service Providers (“ISPs”) to retain records so law enforcement could access their customers’ online activities. The ostensible purpose of the bill is to give the Government greater tools to fight child pornography and terrorism. As introduced, however, there is no limitation on the scope of any Attorney General rules as long as they govern ISP record retention. The only substantive guidance the SAFETY Act provides is that the regulations, “at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information.” The Act would therefore result in rules requiring ISPs to at least retain logs that associate specific users with specific Internet Protocol (“IP”) addresses.  

New data retention requirements would likely impose major burdens on ISPs. Industry interests argue such requirements are unnecessary as ISPs already cooperate with the Government to combat online child predators and to provide customer identification when required by law. Currently, in many instances, law enforcement obtains user IP addresses from website operators when they suspect illegal behavior. Usually, law enforcement then issues a subpoena to the ISP associated with the IP address to obtain the identity of the user associated with that IP address. Because IP addresses are scarce, they are not permanently assigned to one customer. Instead they are dynamic – reassigned to different users for different on-line sessions. Data retention policies among ISPs differ, but they usually dispose of IP logs when there is no longer a business reason to keep the records. The Electronic Communications Privacy Act ("ECPA") already requires ISPs to preserve records for 90 days upon receipt of a government request, to allow the Government time to obtain a court order.

If the Internet SAFETY Act or similar legislation becomes law, the Attorney General could impose a relatively lengthy record retention requirement. The Department of Justice met with a group of ISPs on February 28, 2007, and discussed a two year record retention timeframe. Such a timeframe would result in significant new costs for ISPs not only to store data but to keep it in a searchable format. Some speculate that Congress could amend the SAFETY Act or introduce similar legislation that would reimburse ISPs for compliance costs, that might remove some of the Industry’s objections to such legislation. In addition, ISPs are also considering the possibility that new rules could expand the records that must be retained to include web browsing logs, contents of communications, such as emails and instant messages and even records of customers’ online keystrokes.

Privacy advocates fear the effects of such a law on personal privacy. In this age of large scale hacking, exemplified by such incidents at Cardsystems Solutions, BJ’s Wholesale Club, DSW, TJ Maxx and others, businesses and privacy advocates alike are coming to understand that destroying data that no longer has a business purpose is one of the best ways to protect consumers’ personal information. Government-mandated data retention increases the likelihood of wrongful access and misuse of ISP records. In addition, such mandates also substantially increase the likelihood of lawful access to ISP records by non-government persons. The larger pool of ISP data creates more information to be accessed by civil litigants using subpoenas in divorce, employment, or intellectual property lawsuits.

The Internet SAFETY Act contains various other provisions, some of which extend beyond just ISPs. For example, there are provisions that:

     

  • Require most website operators to have a label on any website page with sexually explicit material and to prevent the first accessible page from having sexually explicit material;

     

  • Prohibit web hosts or email service providers from knowingly facilitating access to child pornography;

     

  • Prohibit conducting a financial transaction knowing it will facilitate access to child pornography;

     

  • Increase fines for communications providers who knowingly fail to report child pornography crimes to the National Center for Missing and Exploited Children; and

     

  • Increase penalties for crimes related to the sexual exploitation of children and child pornography.

Although it was Republican lawmakers who introduced the Internet SAFETY Act, the principle of ISP data retention requirements enjoys bipartisan support. ISPs and privacy advocates will likely be lobbying to defeat, or at least impose some limitations on, the Internet SAFETY ACT or similar legislation.

Tags: , , , , ,