Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

• ·      They apply both online and offline. Many companies have privacy policies that apply to the information they collect online, but make no promises to consumers about the information they collect offline, for example in stores, at events, on the phone, via loyalty programs, through registration cards, and the like.   The FTC’s report recommends that companies have privacy policies that apply offline as well.
• ·      They apply to what many companies think of as non-personally identifiable information, such as static IP addresses and other information that identifies a particular computer or device, but not necessarily a particular individual. This means that many companies’ privacy policies will need to be revised.
• ·      They propose that consumers be given a choice, at the time and place that they provide their information to a company, about the use of their data by the company in unexpected ways (i.e., ways other than “commonly accepted practices”).   For example, if the company will share the consumer’s data with a third party for the third party’s marketing purposes, the consumer should be given a choice about this at the time that they provide the information to the company, and on the Web page on which they provide the data to the company. (Yes, we mean no more burying consumer choice notices in a privacy policy.) Other examples of when consumer choice would be required are when data will be sold to a data broker or other third party that is unknown to the customer, or shared with others for behavioral marketing purposes.
• ·      Consumer choices could no longer be obtained using the good old pre-checked consent box.
• ·      When data collected in a brick-and-mortar store will be used by the company in one of these “non-accepted” ways, the FTC proposes that the sales associate communicate the consumer’s choices to the consumer orally.
• ·      When a consumer opts out of a certain use of his or her data, that preference would be durable, and not subject to repeated additional requests from the company. (The FTC did not say this, but we presume this would mean, for example, that the FTC prefers an opt-out method that is not dependent on cookies that could inadvertently be deleted by the consumer, and that opt-out preferences not expire.)
• ·      FTC proposes that data sharing with an affiliate is to be treated like data sharing with an unaffiliated third party, unless, possibly, the affiliate relationship is clear to consumers through common branding or similar means.
• ·      The FTC proposes that companies provide consumers with reasonable access to the data that they have about consumers. (Until now, U.S. law has not required this.)
• ·      The FTC proposes that companies obtain affirmative express consent from consumers before collecting, using or sharing sensitive information about consumers (such as financial or medical information, or precise geolocation data), or information about “sensitive” consumers such as children and possibly teens.
• ·      The FTC’s recommendations cover companies that do not have direct relationships with consumers, such as data aggregators, and propose that these companies allow consumers to access and correct the information they have about consumers.
• ·      The FTC proposes that companies take steps to ensure the accuracy of the data that they have about consumers, especially if the data is being used to make decisions about consumers. A good example of this is a company that provides identity or age verification services to other companies.
• ·      The FTC proposes that companies only collect the data they need for their specific business purposes, and that they dispose of it (securely) when it no longer serves that purpose.  (In other words, don’t collect it or retain it “just in case it comes in handy for something later.”)
• ·      The FTC endorses a universal consumer “Do Not Track” option, whereby a consumer can set his or her web browser to instruct Web sites not to engage in behavioral marketing on that consumer. (More on this when/if the required technology becomes available.)
• ·      The FTC proposes that companies assign personnel to oversee privacy issues.
• ·      The FTC proposes that companies have comprehensive privacy programs, and review them periodically to address changes in data risks and other circumstances. (Did you just finish your comprehensive written data security program? Time to start on your comprehensive written privacy program.)
• ·      The FTC proposes “privacy by design.” In other words, companies should consider privacy issues relating to new products, services and business models in the early stages of their development. (As an example, no more sending new products to legal review the last minute before launch.)
• ·      The FTC proposes shorter and more comprehensible privacy policies. The FTC might provide a model form privacy notice for this purpose. If you still want to include all the details in a shorter policy, the FTC suggests the “layered” policy approach, in which each policy layer links to more detail in the next layer. 
• ·      You should have been honoring this for years, but, once again, companies cannot make material adverse retroactive changes to their privacy policies without robust notice to, and consent from, consumers. So when you are shortening your privacy policy, beware of inadvertent substantive changes that provide for lesser privacy protections than before.

Old National Bancorp (“ONB”) collected customer information online in connection with applications for accounts, loans, and other ONB banking services. This information included customers’ names, addresses, Social Security numbers, driver’s license numbers, dates of birth, and other financial information. In 2005, ONB’s website was hacked, compromising the personal information ONB maintained about its customers.

Plaintiffs Luciano Pisciotta and Daniel Mills filed a putative class action in the U.S. District Court for the Southern District of Indiana asserting claims for negligence, breach of contract and implied breach of contract against ONB and its website hosting partner NCR. Plaintiffs alleged that ONB’s failure to protect their personal confidential information caused each member of the class to suffer substantial potential economic damages and emotional distress and worry that third parties might misuse their personal information. But Plaintiffs did not allege that any completed direct financial losses had occurred or that any member of the putative class already had been the victim of identity theft as a result of the breach. Id. at *2.

After the district court dismissed all claims against NCR, ONB filed a motion for judgment on the pleadings. The district court granted ONB’s motion, finding that Plaintiffs “have not alleged that ONB’s conduct caused them cognizable injury.” Id. at *2. In reaching this conclusion, the district court found persuasive the decisions of other federal district courts which had rejected “the cost of credit monitoring as an alternative award to for what would otherwise be speculative and unrecoverable damages.” Pisciotta v. Old Nat’l Bancorp, No. 1:05-cv-668-LJM-WTL (S.D. Ind. 2006) (order granting defendant’s motion for judgment on the pleadings). The district court further noted that “[t]he expenditure of money to monitor one’s credit is not the result of any present injury, but rather the anticipation of future injury that has not yet materialized.” Id. 

The Seventh Circuit, after concluding that Plaintiffs’ allegations satisfied constitutional standing requirements, considered the elements of Plaintiffs’ negligence and breach of contract claims, principally the requirement that Plaintiffs’ demonstrate legally cognizable damages. Pisciotta, 2007 WL 2389970, at *4. (Other courts considering similar claims have dismissed for lack of standing or ripeness, finding that the threat of damage fails to create a case or controversy.) 

The court rejected Plaintiffs’ argument that Indiana’s state security breach notification law evidenced the Indiana legislature’s belief that an individual suffers a completed harm at the moment his information is exposed. The court also rejected Plaintiffs’ analogies to medical monitoring cases and several Indiana cases concerning disclosures of personal information by banks. The court pointed out that no Indiana authority had allowed recovery for medical monitoring costs. Id. at *7. In the bank disclosure cases, the plaintiffs suffered direct and immediate reputational injuries and sought to be compensated for that harm, not for their efforts to protect against some future, anticipated injury. Id. at *6.

Ultimately, the Seventh Circuit, like the district court, found the overwhelming weight of authority from other jurisdictions denying recovery for credit monitoring costs persuasive. The court stated:

Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.

Id. at *8. 

Pisciotta is the latest in a series of cases that refuse to recognize damages stemming from “identity exposure” absent some evidence of actual identity theft.  See, e.g., Kahle v. Litton Loan Serv. LP, No. 1:05cv756, 2007 U.S. Dist. LEXIS 35845, at *22 (S.D. Ohio May 16, 2007); Randolph v. ING Life Ins. and Annuity Co., No. 06-1228 (CKK), 2007 U.S. Dist. LEXIS 11523, *25 (D.D.C. Feb. 5, 2007); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476, 2006 U.S. Dist. LEXIS 52266, at *12 (D.N.J. July 31, 2006); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); Guin v. Brazos Higher Educ. Servs. Corp., No. 05-688 (RHK/JSM), 2006 U.S. Dist. LEXIS 4846, at *15 (D. Minn. Feb. 7, 2006); Stollenwerk v. Tri-West Healthcare Alliance, No. Civ. 03-0185-PHX-SRB, 2005 U.S. Dist. LEXIS 41054, at *10 (D. Ariz. Sept. 8, 2005).