Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Arnold never claimed that the government’s search of his laptop damaged it in any way, therefore not invoking the "exceptional damage to property" exception to suspicionless searches. Further, although Arnold did raise the "particularly offensive manner" exception, the court found there was nothing in the record to "indicate that the manner in which the CBP officers conducted the search was ‘particularly offensive’ in comparison with other lawful border searches." The customs officers simply asked Arnold to boot up his laptop and looked at what was there. The court failed to discern any meaningful distinction between such a search and suspicionless searches of travelers’ luggage at the border.

The court also refused to adopt Arnold’s analogy to a search of a home, noting that the Supreme Court has rejected applying Fourth Amendment protections afforded to homes to property "‘capable of functioning as a home’" simply due to its size. The Court also rejected the notion that the quality or nature of the container merited a distinction in this case. A laptop, the court reasoned, is more like a mobile home than a home or office; the Supreme Court has refused to treat a mobile home differently from other vehicles due to the fact that it is readily movable and the expectation of privacy with respect to a car is significantly less than that relating to a home or office. The court also noted that case law does not support a finding that a search is particularly offensive due to the storage capacity of the object.

Finally, the court rejected Arnold’s argument that the First Amendment requires reasonable suspicion for a border search where the risk is high that expressive material will be exposed. The court refused to create a split with the Fourth Circuit’s decision in United States v. Ickes, 393 F. 3d 501 (4th Cir. 2005). The Fourth Circuit declined to "carve out a First Amendment exception to th[e border search] doctrine because such a rule would: (1) protect terrorist communications ‘which are inherently ‘expressive’’; (2) create an unworkable standard for government agents who ‘would have to decide—on their feet—which expressive material is covered by the First Amendment'; and (3) contravene the weight of Supreme Court precedent refusing to subject government action to greater scrutiny with respect to the Fourth Amendment when an alleged First Amendment interest is also at stake."

Needless to say, the Ninth Circuit’s decision in Arnold has significant implications for anyone who travels with unencrypted confidential and/or personally identifiable information on a laptop or other electronic storage device. Companies with personnel who routinely travel with such sensitive information must reevaluate information security policies and consider measures that will protect such information from unauthorized access during international travel. It is not a given that affected entities and individuals can wipe laptops and other storage devices clean of such information prior to travel. Such procedures may create practical problems and inefficiencies, and even run afoul of legal or litigation holds requiring the preservation of data in a particular form.

In the FTC’s action against TJX, the Commission alleged that TJX failed to prevent unauthorized access to personal information on its computer networks. These failures allowed a hacker to exploit vulnerabilities and obtain tens of millions of credit and debit payment cards used at the retailer’s stores along with personal information about approximately 455,000 consumers that returned merchandise without receipts. The FTC alleged that TJX:

• Created an unnecessary risk to personal information by storing it on and transmitting it between various computer networks in clear text;
• Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
• Did not require the use of strong passwords or different passwords to access different programs, computers, and networks;
• Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
• Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software. 

The FTC’s settlement with TJX requires the retailer to implement and maintain a comprehensive information security program that is designed to protect the security, confidentiality and integrity of personal information collected from or about consumers. The program must include certain administrative, technical and physical safeguards that are appropriate to the company’s size, the nature of its activities, and the sensitivity of the personal information it collects. In particular, TJX must:

• Designate an employee or employees to coordinate the information security program;
• Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;
• Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;
• Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and
• Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs.

In addition, TJX must retain an independent, third party security auditor to assess the sufficiency of its information security program at least once every two years for the next 20 years. This security auditor will be required to certify that the company’s security program satisfies the requirements of the consent agreement and is operating with sufficient effectiveness to provide reasonable assurance that consumers’ personal information is being protected. The FTC is not seeking any financial penalty to resolve the charges.

The proposed agreement is subject to public comment until April 28, 2008, after which the FTC will decide whether to make it final.

The bill defines "breach of security" as the "unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person" (emphasis added), and requires businesses to notify state residents if their computerized personal information is compromised unless, "after an appropriate investigation or after consultation with relevant federal, state or local agencies responsible for law enforcement, the person determines that no reasonable likelihood of harm to the consumers whose personal information has been acquired has resulted or will result from the breach."

For purposes of the bill, "personal information" is defined as a consumer’s first name or first initial and last name in combination with their 1) social security number, 2) driver’s license or state identification card number, 3) passport or other United States issued ID number or 4) financial account information along with password or security code information. An individual’s name need not be directly connected to the other data elements to trigger the notice requirements; notice is required if the compromised data "would be sufficient to permit a person to commit identity theft."

Under the new law, businesses and government agencies also must meet certain data security and disposal requirements. Specifically, they must "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including disposal of the data." An entity will be deemed to be in compliance if it implements an information security program that includes certain enumerated administrative, technical and physical safeguards.

Violations of the new law can result in civil penalties of not more than $1,000 for each violation. In the case of a continuing violation, each day’s continuance is a separate violation, but the maximum penalty for any occurrence shall not exceed $500,000.

The full text of S.B. 583 is available here.