Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

New Jersey law, like California law, does restrict the collection of personal information in connection with credit card purchases in some ways. However, New Jersey’s law does not provide for a private right of action. Therefore, the plaintiff in this case attempted to invoke the New Jersey law though the TCCWNA, which does provide for a private right of action. But unfortunately for the plaintiff, her complaint failed to allege the existence of a written contract containing a provision that explicitly violated the applicable New Jersey law on the subject so as to trigger the TCCWNA. Rather, Judge Walls rightly concluded that even assuming that the credit card transaction form constituted a written consumer contract, as plaintiff alleged it did, the “existence of the recorded zip code itself, which consists solely of numbers, does not constitute a contract provision that violates the plaintiff’s rights.” As such, the complaint failed to state a claim under the TCCWNA and required dismissal. The court also denied the plaintiff’s request to file an amended complaint because, in his opinion, the proposed amended complaint failed to either set forth any additional factual support for plaintiff’s allegation that the credit card transaction form constituted a written contract or allege any written provision of such “contract” violated her rights. Thus, according to Judge Walls, the amended complaint would fail for the same reasons as the original complaint.

The district court’s decision in this case supports what many people hope will continue to be the case, i.e., that it will be a challenge for plaintiffs’ lawyers to successfully transplant the California Supreme Court’s recent decision in Pineda v. Williams-Sonoma, Inc. (see this blog post) into other jurisdictions.

According to the Attorney General, the Final Judgment “works to ensure that steps have been taken to protect consumer information moving forward.” Although the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) did not become effective until after the April 2009 breach, the Attorney General used the regulations as a reference point for identifying deficiencies in the company’s approach to information security. In its complaint against Briar Group, the Attorney General alleged, among other things, that the company (i) failed to change default usernames and passwords for its point-of-sale system, (ii) allowed employees to share passwords, (iii) did not appropriately limit the number of employees with administrative access to company systems, and (iv) stored payment card information in clear text on its servers. Taken together, these deficiencies allowed the breach of Briar Group’s systems to continue unabated until approximately December 2009.

In her announcement of the Final Judgment, Massachusetts Attorney General Martha Coakley explained that her office “will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.” With this in mind, and 201 CMR 17.00 now firmly entrenched, companies handling personal information about Massachusetts residents should be prepared. Hint: That means have a WISP and follow it!

The lengthy delay between discovery of the lost hard drive and individual notifications was not the only thing Sorrell found to be wrong with HealthNet’s response to the May 2009 breach, however. Vermont’s Attorney General also claimed that HealthNet violated the federal Health Insurance Portability and Accountability Act (“HIPAA”) by failing to secure protected health information and the state’s Consumer Fraud Act by misrepresenting, in its letters to individuals, the risk posed by the breach. In those letters, HealthNet told individuals that the risk of harm to them was “low” because the files were saved in a format that could not be easily accessed when, in reality, the files were saved in the relatively easily viewable TIF format.

The Vermont Attorney General’s settlement with HealthNet, which the U.S. District Court for the District of Vermont approved on January 21, 2011, requires the company to pay $55,000 to the State, submit to a data-security audit, and file reports with the State regarding the company’s information security programs for the next two years.

The HealthNet settlement is an important reminder that the unpleasantness of a security breach is only compounded by a poor response. If you have not already done so, the time for establishing a comprehensive breach response plan is now!

The Logistep case involved a service provider that collected information about peer-to-peer filing sharing activity and sold this information to copyright holders who used it to identify and sue potential copyright infringers. In January 2008, Switzerland’s data protection authorities (FDCIP) asked Logistep to stop its peer-to-peer monitoring activities. The FDCIP alleged that Logistep’s activities violated the Swiss Data Protection Act since they were unknown to computer users and circumvented certain telecommunications privacy rights that could only be waived in criminal proceedings. Logistep ignored the FDCIP’s request, and quickly became the subject of an FDCIP enforcement action. The administrative court overseeing the FDCIP’s enforcement action ruled that IP addresses did constitute personal information. Nonetheless, the court allowed Logistep to continue its monitoring activities because, in its view, the interests of copyright holders outweighed the interests of computer users seeking to have their IP addresses protected.

On appeal, the Federal Supreme Court affirmed the lower court’s conclusion that IP addresses are personal information. But the Supreme Court reversed the lower court’s conclusion regarding Logistep’s monitoring activities, finding that the contested conduct should be stopped because it involved a major invasion of privacy and could not be justified by any overriding interest. Consequently, as the FDCIP announced on September 9, 2010, Logistep may no longer “collect or pass on any further data” in furtherance of its contested copyright enforcement activities.

In addition to the HHS resolution agreement, Rite Aid has entered into a separate, but related settlement with the FTC to resolve the FTC’s allegations that the company failed to live up to promises made in its privacy policy that it would protect customers’ sensitive medical information. The FTC settlement will require Rite Aid to implement a comprehensive information security program and obtain independent audits of the program for twenty years.

The Rite Aid settlement marks the second time HHS and the FTC have joined forces for an investigation into alleged violations of individuals’ information privacy. The agencies began investigating Rite Aid after news media captured footage of employees at a number of pharmacies, not limited to Rite Aid, tossing sensitive medical information into insecure trash containers. According to HHS and the FTC, this practice demonstrated Rite Aid’s failure to implement, teach and enforce appropriate policies regarding the disposal of sensitive information.

So will [insert name of your pharmacy here] be the agencies’ next target? We hope not!

Judge Berman’s dismissal represents yet another in a long, and still growing, line of cases standing for the proposition that without more, the mere exposure of personal information is not an adequate basis for a lawsuit. Indeed, Judge Berman’s written opinion cited similar dismissals in over twenty such decisions in the opening paragraph.

The Hammond decision is not unique on account of its central themes because the law in this area, except with respect to whether such plaintiffs have standing, is clear at this point. But the decision is noteworthy for the following reasons:

• The opinion demonstrates that the lack of standing argument is still alive and well (and potentially trending toward the victorious) after being vigorously debated and variously decided in nearly every identity exposure case;
• In addition to the lack of damages, the court rejected the plaintiffs’ negligence, breach of fiduciary duty and breach of implied contract claims in large part due to the lack of direct dealings between The Bank of New York Mellon and the plaintiffs, which negated the plaintiffs’ claims of any duty or relationship between the parties;
• Although several plaintiffs experienced unauthorized credit transactions after the tapes were lost, they acknowledged during discovery that they had not suffered identity theft or any fraud as a result of the tape loss thereby dooming their claims; and
• This second victory on behalf of The Bank of New York Mellon further demonstrates Proskauer’s depth of experience and expertise in this area.

It will likely only be a matter of time before another court evaluating the merits of an identity exposure case looks to the Hammond decision for guidance, and we’ll report on that case too. In the meantime, stay tuned, and remember that mere disclosure of personal information, without more, does not a lawsuit make.
 

On appeal, the Ninth Circuit agreed with the district court’s dismissal of each of the plaintiff’s causes of action, including claims for negligence, breach of contract, unfair competition, invasion of privacy and violation of California’s Social Security number protection law (Cal. Civ. Code § 1798.85). The Court’s relatively brief opinion went a little something like this:

• Negligence. Requires Plaintiff to show actual damages. He failed to do that because even if time and money spent on credit monitoring are sufficient, Plaintiff failed to provide any evidence of the time and money he spent on credit monitoring. AFFIRMED.
• Breach of contract. Similarly requires Plaintiff to show actual damages. Plaintiff failed to show any appreciable harm, and nominal damages will not suffice according to binding Ninth Circuit precedent. AFFIRMED.
• Unfair competition. Another claim that requires Plaintiff to show actual damages. Actual damages mean loss of money or property, and there is no evidence to support such a loss. AFFIRMED.
• Invasion of privacy. California courts have yet to extend this cause of action to accidental or negligent conduct. In addition, it is not clear that an increased risk of a privacy invasion, rather than an actual privacy invasion, suffices. AFFIRMED.
• Violation of Cal. Civ. Code § 1798.85. The law prohibiting requiring an individual to use his Social Security number to access a Web site absent some additional authentication mechanism is not directed at subsequent requests for information once a user enters the Web site. AFFIRMED.

The Ninth Circuit’s decision echoes those issued in every “identity exposure” lawsuit to date: an increased risk of identity theft does not a lawsuit make! This decision hopefully will also allow Gap and friends to relax (a little) after a prolonged litigation battle.
 

In April 2008, UniCare informed some members of its health insurance plans that some of their personal information was temporarily accessible to the public on the Internet. In response to UniCare’s notice, the plaintiff sued alleging that UniCare’s inadvertent disclosure of his personal information harmed him in the following ways: created anxiety and emotional distress, increased his risk of identity theft, forced him to spend time and money monitoring his credit, compromised his possessory rights in his information and invaded his privacy. UniCare then filed a motion to dismiss the complaint which focused chiefly on the plaintiff’s failure to allege that any unauthorized person actually viewed the inadvertently exposed information.

At the outset of the opinion, noting that at the motion to dismiss stage disclosure to a third party could be inferred from the plaintiff’s complaint, the court ruled that UniCare’s inadvertent disclosure might constitute a “communication” of consumer report information and thus refused to dismiss the plaintiff’s FCRA claims. The court then examined the plaintiff’s remaining claims – all of which, according to UniCare, required a showing of damages to state a valid cause of action – in relation to the various harms plaintiff claimed to have suffered due to the disclosure of his information. In each instance, the court found that even though the evidence might ultimately not support the plaintiff’s theories of damage, drawing all inferences in the plaintiff’s favor as the court must on a motion to dismiss, his complaint satisfied the liberal pleading standard set forth in the Federal Rules of Civil Procedure.

But Judge Hibbler did make clear that the Illinois Supreme Court’s decision in Williams v. Manchester, 229 Ill. 2d 404 (2008), ruled out the possibility that “the exposure of personal information might be the present injury providing the basis for recovery of damages for increased risk of future harm.” Rather, as Judge Hibbler stated, “Rowe may collect damages based on the increased risk of future harm he incurred, but only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.” Moreover, while the court did not find the Seventh Circuit’s reasoning in Pisciotta v. Old National Bancorp (see our blog post here) entirely persuasive, the court held that “the costs of credit monitoring services are not a present harm in and of themselves.”

Though some might view this decision as a victory for plaintiffs and their lawyers, it also further illustrates the level of judicial skepticism toward “identity theft exposure” claims and makes it even more difficult for plaintiffs to argue that an increased risk of harm based on the exposure of personal information, without more, is a harm that the law should recognize.
 

In February 2008, the archive vendor transporting back-up tapes associated with The Bank of New York Mellon Shareowner Services, a business unit of The Bank of New York Mellon (“BNY Mellon”), discovered that one of ten boxes was missing. Those tapes contained certain shareowner, plan participant, and payment information, including Social Security numbers and other personally identifying information. Customers of People’s United Bank, another financial institution and a client of Shareowner Services, were among the persons whose data was contained on the missing tapes. Shortly after the tape loss, BNY Mellon alerted affected individuals and offered them two years of credit monitoring, $25,000 in identity theft insurance, and a free credit freeze.

In May 2008, several individual plaintiffs brought a putative class action against People’s United Bank and BNY Mellon, claiming that the loss of the tapes compromised their personal information. They sought damages based on an alleged violation of the Connecticut Unfair Trade Practices Act (“CUTPA”), negligence, and breach of fiduciary duty. Notably, plaintiffs did not allege that any direct financial losses had occurred or that any member of the putative class had been the victim of identity theft as a result of the breach. Plaintiffs instead alleged that the increased risk of identity theft constituted cognizable harm because they would have to pay for future credit monitoring (beyond the two years offered by the defendants) and take other steps to protect against an increased risk of identity theft arising from the incident. Additionally, although not alleged in the complaint, Plaintiffs later argued that the fees paid to People’s United Bank represented additional actual harm (an argument which was roundly rejected by the court as an improper amendment of the pleadings in motion papers).

Judge Bryant rejected plaintiffs’ arguments and granted defendants’ motions to dismiss as to all claims. In dismissing the negligence claim, the court relied chiefly on two recent Southern District of New York decisions, Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 573 (S.D.N.Y. 2008) (dismissing claims for negligence and breach of fiduciary duty brought by plaintiffs whose identities had not been stolen), and Shafran v. Harley Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur.”). As Judge Bryant explained in her opinion:

[T]he Plaintiffs have pointed to no case decided anywhere in the country where a court allowed a negligence claim to survive absent an allegation of actual identity theft . . . . The Court concludes that the courts of Connecticut, like those of New York, would not recognize a negligence claim founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft . . . .

Judge Bryant followed similar reasoning in dismissing the CUTPA and breach of fiduciary duty claims, both of which require an actual, ascertainable loss or harm.

McLoughlin is the latest in a series of data loss cases that refuse to recognize damages stemming from mere “increased risk of harm” absent some evidence of actual fraud or identity theft. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk v. Tri-West Health Care Alliance, No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162 (N.D. Cal. Apr. 6, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476 (JBS), 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006).

Special thanks to this week’s guest author, Jason Gerstein, a member of Proskauer’s litigation team for the McLoughlin case, for preparing this post.

Here are some key points regarding the new version of Nevada’s encryption law:

What is a “Data Storage Device?”  Included in the definition are: “computers, cellular phones, magnetic tape, electronic computer drives, optical computer drives and the medium itself.”  This is not an exclusive list.

What type of Encryption?  Under the old law, any sort of encryption satisfied the encryption requirement, the law did not specify a threshold for compliance.  S.B. 227, however, requires (1)  the use of “encryption technology that has been adopted by an established standards setting body . . . which renders such data indecipherable in the absence of associated cryptographic keys” and (2) “[a]ppropriate management and safeguards of cryptographic keys . . . using standards promulgated by an established standards setting body.”

Immunity from damages – If a data collector loses personal information, it is not liable, as long as it complied with the law and the loss did not result from gross negligence or intentional misconduct.  So the new law provides a safe harbor to businesses that follow the more stringent rules.  However, as we noted with respect to the old law, it is not entirely clear who may sue to enforce the law’s provisions.

Payment Card Exemption – If personal information is transmitted for use in a payment card transaction then “with respect to those transactions” the data collector need only comply with the Payment Card Industry Data Security Standard (“PCI DSS”).  PCI DSS Requirement 4 requires encryption when the data is being transmitted on an open, public network.  The exact scope of “those transactions” is still unclear, but it is clear that the exemption will not encompass transmissions of personal information that are unrelated to payment card transactions. Payment cards are defined broadly to include almost any card that is issued to an authorized card user and that allows that user to obtain, purchase or receive anything of value.  See NRS 205.602.

Telecommunications Provider Exemption – Another interesting addition to the final draft of the law was an exemption for telecom companies that act “solely in the role of conveying the communications of other persons” because these providers are not responsible for the content transmitted using their systems.  This exemption is broad, and applies without regard to the mode of conveyance used, including wireless, voice over Internet protocol (“VOIP”) and other digital transmission technologies.

Remaining Questions – Unfortunately, S.B. 227 fails to answer some of our questions about the original law. Specifically, it remains to be seen, among other things, (a) who can enforce this law, (b) whether there is a private right to sue, and (c) what it means for a company to be “doing

business in this State.”

Stay tuned!

Proskauer summer associate Gary Silber contributed to this post.

Responding to the concerns of the regulated community, the OCABR’s revised regulations, 201 CMR 17.00, do not require covered entities to obtain written certification of compliance with the regulations from third party service providers handling personal information on their behalf. Instead, covered entities need only take steps to verify that third party service providers are able to, and do, employ the kind of personal information security measures required by 201 CMR 17.00. The revised regulations are otherwise nearly identical to the OCABR’s earlier version, which is described here.

In the OCABR’s Thursday press release, Undersecretary Daniel Crane expressed the importance of the new regulations to Massachusetts consumers and the need for businesses to take steps toward compliance. As to the revised compliance timeframe, Crane said “[w]e understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”

The Family Educational Rights and Privacy Act (20 U.S.C. 1232g; 34 CFR Part 99) (“FERPA”) imposes various requirements on educational institutions regarding the privacy of personally identifiable information contained in education records of students.  On December 9, 2008, the U.S. Department of Education (“DOE”) published final rules amending the regulations that implement FERPA.   

Originally proposed on March 28, 2008, the DOE published a notice which proposed various changes to FERPA and its implementing regulations “to implement various statutory changes made to FERPA to implement two recent US Supreme Court decisions, to respond to changes in information technology, and to address other issues identified through the Department’s experience in administering FERPA.”  (73 FR 74806).  According to the DOE, approximately 121 parties submitted comments in response to the March, 2008 NPRM.  The Final Rules become effective January 8, 2009.

Some of the significant changes brought about by the Final Rules include the following:

·         Amending several key definitions, including the definition of “directory information,” which expressly excludes therefrom a student’s Social Security number or student identification number (except where a student ID is “used by the student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records” without one or more additional authentication factors, such as a PIN number or password).

·         Revising the definition of “personally identifiable information” to, among other things, add a definition of “biometric record.”

·         Expanding the circumstances under which prior consent is not required to disclose personally identifiable information from education records, including, for example, disclosures to “a contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions… .”  

·         Amending the exception that allows educational institutions and agencies to disclose information from education records, without consent, to organizations conducting studies for or on behalf of the agency or institutions for purposes of testing, student aid and improvement of instruction. (Specifically, the Final Rules added a requirement to this exception, that the educational agency or institution enter into a written agreement containing specific provisions with the organization conducting the study.)

·         Clarifying an educational agency or institution’s obligations with respect to the handling of opt-out requests to the disclosure of directory information.

·         Requiring an educational agency or institution that discloses information without consent under the health and safety emergency exception to record “the articulable and significant threat to the health or safety of a student or other individuals that formed the basis for the disclosure; and the parties to whom the agency or institution disclosed the information.”

·         Implementing the provisions of the USA Patriot Act that amend FERPA to provide that an educational agency or institution may disclose, without consent, information from education records pursuant to and in accordance with an ex parte court order issued under the USA Patriot Act.

·         Implementing the provisions of the Campus Sex Crimes Prevention Act (CSCPA), which amend FERPA to allow educational agencies or institutions to disclose, without consent, information concerning registered sex offenders provided to the agency or institution under the federal statute, the Violent Crime Control and Law Enforcement Act of 1994.

Additionally, in the preamble to the Final Rule, the DOE republishes, “for the administrative convenience of educational agencies and institutions and other parties,” certain information and recommendations regarding the safeguarding of educational records.  These “Department Recommendations for Safeguarding Education Records” include suggested steps to take in the event of an unauthorized release or disclosure, or other breach or compromise involving, education records.

FERPA seeks to protect the privacy of education records of students, and applies to all educational institutions and agencies that receive federal funding under a federal education program. FERPA provides to parents of children under the age of 18 (and “eligible students” over the age of 18) certain rights with respect to their education records maintained by an educational institution or agency, including the right to access and copy education records.  Additionally, with certain exceptions, FERPA prohibits educational institutions and agencies from disclosing personally identifiable information (not including “directory information,” however) from education records without prior consent.  Under FERPA, “directory information” means “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” FERPA sets forth a non-exhaustive list of data elements that would be considered part of such definition.  Thus, FERPA permits an educational institution or agency to disclose “directory information” without consent, provided that such institution or agency give notice to parents and the ability to opt out of such disclosures.

For a copy of the Federal Register notice containing the Final Rules, click here.  For the Federal Register notice containing the NPRM, click here.

In Party City, the plaintiff claimed that Party City’s request for a zip code in conjunction with a credit card purchase violated the Act. The trial court agreed, granting the plaintiff summary judgment. The Court of Appeal granted a writ of mandate and overturned the trial court concluding that summary judgment should be entered for Party City. The Court of Appeal found that zip codes are not personal identification information based on the plain language of the statute. In applying a plain reading, the court first examined postal regulations to understand what zip codes encompass. The court determined that zip codes as defined by the postal service are not individualized identification criteria. Rather they are used to "provide identification of a relatively large group." Because "tens of thousands of people have the same zip code" the court concluded a zip code standing alone is not the same as an individual’s address or telephone number. The court found its interpretation bolstered by the principle that statutes that create mandatory civil liabilities should be construed in favor of the "persons sought to be subject to their operation."

This is the third California appellate decision this year taking a narrow interpretation of the Act. See here and here for blog posts on earlier appellate court decisions holding that the Act does not apply in the merchandise returns context.

In 2002, UNITE launched a drive to organize Cintas employees. A major component of the drive consisted of identifying potential legal claims against Cintas. UNITE’s plan included making house calls to Cintas employees who might be reluctant to talk to union organizers at work for fear of retaliation by Cintas management. UNITE compiled lists of names and addresses for Cintas employees using a variety of tactics. One such tactic, known as “tagging,” required union organizers to observe cars entering Cintas parking lots, record license plate numbers and access state motor vehicle records relating to those plate numbers. UNITE tagged between 1,758 and 2,005 Cintas employees.

In 2004, a group of Cintas employees who had been tagged filed a class action lawsuit in the U.S. District Court for the Eastern District of Pennsylvania alleging violations of the DPPA, which provides that a “person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains . . . .” 18 U.S.C. § 2724(a). The district court granted summary judgment in favor of ten plaintiffs and ruled that each of the plaintiffs was entitled to a liquidated damages award of $2,500, but not punitive damages. Both parties appealed.

On appeal, UNITE argued that the district court misapplied the DPPA and failed to realize that the statute allowed it to obtain and use the employees’ motor vehicle record information “in anticipation of litigation” and/or when “acting on behalf of a Federal, State or local agency in carrying out its functions.” The plaintiffs argued that they each should have been awarded punitive damages and liquidated damages in the amount of $5,000; $2,500 for the unauthorized access and $2,500 for the subsequent unauthorized use of their personal information, which they contended constituted separate violations of the DPPA.

The Third Circuit rejected UNITE’s principal argument, finding that “[b]ecause UNITE obtained and used the confidential information for an impermissible purpose – union organizing – it does not matter what other permissible purpose UNITE may have had.” The court similarly rejected UNITE’s other arguments that liquidated damages should not have been awarded absent actual damages and that liability should be contingent on proof that the union knew its actions were impermissible.

Addressing the plaintiffs’ cross-appeal, the Third Circuit agreed that an award of punitive damages may be permissible under the DPPA and remanded the case to the district court for further proceedings on the issue of damages. The court stated that “where there is a genuine issue of material fact regarding the willfulness or recklessness of a defendant’s conduct, we hold that the Seventh Amendment requires a trial by jury on the issue of punitive damages under the DPPA.” The court, however, rejected the plaintiffs’ argument that they should be entitled to $5,000 each in liquidated damages. The court noted that Congress anticipated that “in most cases, a defendant who obtained a motor vehicle record would put it to some use” and enlarging the statute’s liquidated damages award based on such use “would effectively result in a minimum award of $5,000 for every violation of the DPPA . . . .”

On June 26, 2008, in Absher v. Autozone, Inc. et al. (2008), the California Court of Appeal in the Second Appellate District, confirmed that California’s Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08 (hereinafter, the “Act”) does not apply to a refund for the return of merchandise purchased by credit card.

Under the Act, merchants who accept credit cards as a form of payment may not request or require as a condition to accepting payment by credit card the personal information of a cardholder, which information the merchant causes to be recorded upon a credit card transaction form or otherwise (such as a receipt, etc.). 

In the Absher case, plaintiff Dave Absher (who, when returning merchandise purchased from Autozone, was required to put his name and telephone number on a voucher in order to process the refund), claimed that Autozone’s practices violated the Act. In the trial court, Autozone moved for summary judgment arguing that the statute does not apply to return transactions. The trial court granted Autozone’s motion and the Court of Appeal affirmed the dismissal of plaintiff’s cause of action, holding that the Act’s restrictions are limited to initial purchase transactions and not return transactions. In particular, the court held that the legislative history behind the Act, as well as a policy interest in providing retailers with a reasonable means to safeguard against potential abuses in connection with the return of merchandise, weighed in favor of its interpretation that the Act does not apply where a merchant’s request for personal information is in connection with a refund for the return of merchandise purchased by credit card.

The outcome in this most recent case is not surprising given the court’s other recent decision, on May 22, 2008, which case involved The TJX Companies, Inc., T.J. Maxx of CA, LLC, Marshalls of CA, LLC, Marshalls of MA, Inc. and Marmaxx (collectively, “TJX”), and in which case the California Court of Appeal also narrowed the scope of claims available under the Act in ruling that the statute does not apply to merchandise returns.

Kathryn Conroy, a Summer Associated in Proskauer’s Los Angeles office, contributed to this post.

The law also requires businesses that collect Social Security numbers to create a privacy protection policy. The policy must protect the confidentiality of Social Security numbers, prohibit unlawful disclosure and limit access to them.

Unlike its counterpart in California, the Connecticut law only applies to willful violations. California also protects more categories of information. However, the Connecticut law creates a duty to safeguard personal information, whereas the California laws require only “reasonable steps” to protect or destroy personal information. 

This law is part of a broader effort in Connecticut to protect Social Security numbers; in the last two months, Connecticut has enacted three separate bills to protect Social Security numbers. The other two bills affect the use of Social Security numbers on birth certificates.

Whereas California Civil Code § 1798.84 authorizes a private right of action for California consumers injured by violations of its data security law, the new Connecticut law does not appear to create a private right of action. Instead, civil penalties are paid to the state, and the Department of Consumer Protection and other business licensing agencies share enforcement duties. 

Leslie Buoncristiani, a summer associate in Proskauer’s Los Angeles office, contributed to this post.

Definition of Personal Data

According to an earlier opinion issued by the Working Party, personal data includes an individual’s Internet search history if the individual to whom it relates is identifiable. In this most recent opinion, the Working Party found that, although IP addresses are not usually directly identifiable by search engines, the necessary data usually is available to identify the user(s) of the IP address. Therefore, unless a search engine operator can ensure “with absolute certainty” that data corresponding to users cannot be identified, it must treat all IP information as personal data.  

Scope

Article 4 of the Data Protection Directive provides that each Member State will apply its national data protection law to data processing in certain circumstances. The Working Party concluded that the Data Protection Directive applies even where a search engine company’s headquarters is outside the European Economic Area. Where the search engine service provider is not based in one of the Member States, the Data Protection Directive applies where either: (a) the search engine provider has an establishment in a Member State; or (b) the search engine makes use of equipment in the territory of a Member State. “[U]se of equipment” includes a user’s personal computer.

Thus, in the case of multi-national search engine providers:

• Those that are established in a Member State are subject to the Member State’s national data protection laws in which the search engine provider is established;

• Those that are not established in a Member State are subject to the Member States’ national data protection laws in each Member State in which the service provider makes use of equipment in the territory of that Member state for the purposes of processing personal data (e.g., the use of a cookie).

The Working Party expressly excluded from its opinion search functions on websites that were limited to searching only the website’s own domain. 

Processing of Personal Data

The Working Party Opinion found that, in general, search engines must only process personal data for legitimate purposes and the amount of data processed and/or retained must be relevant to and not excessive in respect of the purposes to be achieved by the processing. Search engine providers are “fully responsible under data protection laws for the resulting content related to the processing of personal data.” Specifics are outlined below.

Collection and Processing

The Working Party found that collection and processing of personal data must be based on at least one legitimate ground. Legitimate grounds include:

(1)   Consent of the user for the search engine provider to use specified data for a specified purpose (Data Protection Directive Art. 7(a));

(2)   Necessary for the performance of a contract (Data Protection Directive Art. 7(b)) – however, the Working Party expressly rejected any argument that users enter into a de facto contractual relationship when using services offered by a search engine provider;

(3)   Necessary for the purposes of a legitimate interest pursued by the controller (Data Protection Directive Art. 7(f)):

(a)    Service improvement – however, this is not a legitimate reason for storing data that has not been anonymized;

(b)   Systems security – however, any personal data stored for system security must be subject to a strict purpose limitation and cannot be used for any other purpose;

(c)    Fraud prevention – however, the amount of personal data stored and/or processed and the amount of time it is retained depends on whether and for how long the data is necessary for fraud detection and prevention;

(d)   Accounting – the Working Party expressed “serious doubts that personal data of search engine users are really essential for accounting purposes” and called on search engine providers to develop accounting mechanisms that are more privacy-friendly;

(e)    Personalized advertising – the Working Party expressed its “clear preference for anonymi[z]ed data”;

(f)     Law enforcement and legal requests – the Working Party recognized that search engine providers must comply with legitimate requests from law enforcement and legal orders, but noted that “compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes.”

Retention

The Working Party found as follows:

(1)   The Working Party sees no basis for a retention period of more than six (6) months in any instance and the retention period should be “no longer than necessary for the specific purposes of the processing.” Where data is retained for longer than six (6) months, a search engine provider must demonstrate that such retention “is strictly necessary for the service.”

(2)   Search engine providers must delete personal data when a legitimate purpose no longer exists; in the alternative, search engine providers may anonymize data as long as the anonymization is completely irreversible.

(3)   Search engine providers must inform users about the applicable retention policies for all types of user data they process.

Other Specific Practices

The Working Party found as follows:

(1)   Persistent cookies containing a unique user ID are personal data and should be defined to allow an improved web surfing experience and a limited cookie duration. Moreover, users must be informed about the use and effect of cookies.

(2)   Where search engine providers utilize a cache functionality, they should only retain content in a cache for the “time period necessary to address the problem of temporary inaccessibility to the website itself” – any caching period of personal data contained in indexed websites beyond this necessity of technical availability should be considered an independent republication.

(3)   Correlation of personal data across services and platforms for authenticated users can only be legitimately done based on informed consent by the user.

(4)   Search engine providers may not suggest that using their service requires a personalized account by automatically re-directing unidentified users to a sign-in form for a personalized account.

User Rights

The complaint identified five specific security failures:

• failure to adequately assess risks to the information stored on the network and in paper files,
• failure to adequately restrict access to personal information to authorized employees only,
• failure to implement a comprehensive information security program,
• failure to provide adequate training about handling and protecting personal information and responding to security incidents, and
• failure to require third-party service providers by contract to protect the security and confidentiality of personal information.

The FTC Complaint charged Goal Financial with violating the FTC Act by disseminating a false or misleading privacy policy that claimed to "implement[] reasonable and appropriate measures to protect personal information from unauthorized access." Because Goal Financial qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, the Complaint also alleged violations of the GLBA Safeguards Rule and the GLBA Privacy Rule. The Safeguards Rule allegation reflected the company's failure to identify privacy risks and design appropriate safeguards, while the Privacy Rule charge stemmed from the company's privacy policy and notices inaccurately representing the actual security of consumer information.

The public comment period on the proposed consent order runs until April 3, after which the FTC will decide whether to finalize the order.

Minnesota’s New Law

The Minnesota law, H.F. 1758, amends Minnesota’s data breach notification law and contains security and liability components. The security requirements take effect August 1, 2007 and apply to any “person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards or similar cards “issued by a financial institution.” Such companies are prohibited from retaining the following card data after authorization of a transaction:

• “the full contents of a track of magnetic stripe data” (which encompasses the “card verification value” or CVV – a unique authentication code embedded on the magnetic stripe);
•  the three to four digit security code on the back of the card by the signature block (also known as CVV2); and
• any PIN verification code number. If a debit card with PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction. 

The liability provision of H.F. 1758 applies to data breaches occurring after August 1, 2008. It requires companies to reimburse card-issuing financial institution for the “costs of reasonable actions” to both protect its cardholders’ information and to continue to provide services to its cardholders after a breach. The reimbursement would cover costs related to providing cardholders with notification of the breach, cancellation and reissuance of cards, closing or reopening of accounts and stop payments, and cardholder refunds for unauthorized transactions charged to their accounts. A financial institution may also bring an action to recover for the costs of damages it pays to cardholders resulting from a breach.         

The Five Pending Bills

The April 27, 2007 blog entry posted here discussed in detail California’s A.B. 779 as introduced. Since that posting, A.B. 779 has been amended in various California Assembly Committees and now resides with the Appropriations Committee. The amended bill extended the scope of the bill beyond just retailers to all persons or businesses conducting business in California that own or license computerized data containing personal information. The 90-day record destruction requirement in the original bill has been deleted, but the amended bill now has a host of other restrictions on storing payment card data. Among its requirements, the bill requires:

• account numbers retained by businesses be “indecipherable” to unauthorized persons;
• that payment related data sent across a network be encrypted;
• that companies have role-based restrictions for employee access to such data; and
• the bill also adds a provision that is broader than Minnesota’s financial institution reimbursement provision, requiring vendors that maintain, but do not own or license breached personal information, to reimburse data owners and licensees for “reasonable and actual costs” of providing data breach notification.                   

In the Texas legislature, the House passed H.B. 3222, which would require companies that accept, process or maintain credit card, debit card and other financial institution-issued cards to follow the Payment Card Industry’s Data Security Standard (“PCI DSS”). The PCI DSS are extensive industry security standards designed to prevent identity theft that the major credit card issuers impose on merchants that store, process or transmit cardholder data. While H.B. 3222 excludes financial institutions from the security standards, it empowers them, subject to certain conditions, with a right of action for actual damages against other companies they believe have violated the provision.