Privacy Law Blog : Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Here are some key points regarding the new version of Nevada’s encryption law:

What is a “Data Storage Device?”  Included in the definition are: “computers, cellular phones, magnetic tape, electronic computer drives, optical computer drives and the medium itself.”  This is not an exclusive list.

What type of Encryption?  Under the old law, any sort of encryption satisfied the encryption requirement, the law did not specify a threshold for compliance.  S.B. 227, however, requires (1)  the use of “encryption technology that has been adopted by an established standards setting body . . . which renders such data indecipherable in the absence of associated cryptographic keys” and (2) “[a]ppropriate management and safeguards of cryptographic keys . . . using standards promulgated by an established standards setting body.”

Immunity from damages – If a data collector loses personal information, it is not liable, as long as it complied with the law and the loss did not result from gross negligence or intentional misconduct.  So the new law provides a safe harbor to businesses that follow the more stringent rules.  However, as we noted with respect to the old law, it is not entirely clear who may sue to enforce the law’s provisions.

Payment Card Exemption – If personal information is transmitted for use in a payment card transaction then “with respect to those transactions” the data collector need only comply with the Payment Card Industry Data Security Standard (“PCI DSS”).  PCI DSS Requirement 4 requires encryption when the data is being transmitted on an open, public network.  The exact scope of “those transactions” is still unclear, but it is clear that the exemption will not encompass transmissions of personal information that are unrelated to payment card transactions. Payment cards are defined broadly to include almost any card that is issued to an authorized card user and that allows that user to obtain, purchase or receive anything of value.  See NRS 205.602.

Telecommunications Provider Exemption – Another interesting addition to the final draft of the law was an exemption for telecom companies that act “solely in the role of conveying the communications of other persons” because these providers are not responsible for the content transmitted using their systems.  This exemption is broad, and applies without regard to the mode of conveyance used, including wireless, voice over Internet protocol (“VOIP”) and other digital transmission technologies.

Remaining Questions – Unfortunately, S.B. 227 fails to answer some of our questions about the original law. Specifically, it remains to be seen, among other things, (a) who can enforce this law, (b) whether there is a private right to sue, and (c) what it means for a company to be “doing

business in this State.”

Stay tuned!

Proskauer summer associate Gary Silber contributed to this post.

Responding to the concerns of the regulated community, the OCABR’s revised regulations, 201 CMR 17.00, do not require covered entities to obtain written certification of compliance with the regulations from third party service providers handling personal information on their behalf. Instead, covered entities need only take steps to verify that third party service providers are able to, and do, employ the kind of personal information security measures required by 201 CMR 17.00. The revised regulations are otherwise nearly identical to the OCABR’s earlier version, which is described here.

In the OCABR’s Thursday press release, Undersecretary Daniel Crane expressed the importance of the new regulations to Massachusetts consumers and the need for businesses to take steps toward compliance. As to the revised compliance timeframe, Crane said “[w]e understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”

The Family Educational Rights and Privacy Act (20 U.S.C. 1232g; 34 CFR Part 99) (“FERPA”) imposes various requirements on educational institutions regarding the privacy of personally identifiable information contained in education records of students.  On December 9, 2008, the U.S. Department of Education (“DOE”) published final rules amending the regulations that implement FERPA.   

Originally proposed on March 28, 2008, the DOE published a notice which proposed various changes to FERPA and its implementing regulations “to implement various statutory changes made to FERPA to implement two recent US Supreme Court decisions, to respond to changes in information technology, and to address other issues identified through the Department’s experience in administering FERPA.”  (73 FR 74806).  According to the DOE, approximately 121 parties submitted comments in response to the March, 2008 NPRM.  The Final Rules become effective January 8, 2009.

Some of the significant changes brought about by the Final Rules include the following:

·         Amending several key definitions, including the definition of “directory information,” which expressly excludes therefrom a student’s Social Security number or student identification number (except where a student ID is “used by the student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records” without one or more additional authentication factors, such as a PIN number or password).

·         Revising the definition of “personally identifiable information” to, among other things, add a definition of “biometric record.”

·         Expanding the circumstances under which prior consent is not required to disclose personally identifiable information from education records, including, for example, disclosures to “a contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions… .”  

·         Amending the exception that allows educational institutions and agencies to disclose information from education records, without consent, to organizations conducting studies for or on behalf of the agency or institutions for purposes of testing, student aid and improvement of instruction. (Specifically, the Final Rules added a requirement to this exception, that the educational agency or institution enter into a written agreement containing specific provisions with the organization conducting the study.)

·         Clarifying an educational agency or institution’s obligations with respect to the handling of opt-out requests to the disclosure of directory information.

·         Requiring an educational agency or institution that discloses information without consent under the health and safety emergency exception to record “the articulable and significant threat to the health or safety of a student or other individuals that formed the basis for the disclosure; and the parties to whom the agency or institution disclosed the information.”

·         Implementing the provisions of the USA Patriot Act that amend FERPA to provide that an educational agency or institution may disclose, without consent, information from education records pursuant to and in accordance with an ex parte court order issued under the USA Patriot Act.

·         Implementing the provisions of the Campus Sex Crimes Prevention Act (CSCPA), which amend FERPA to allow educational agencies or institutions to disclose, without consent, information concerning registered sex offenders provided to the agency or institution under the federal statute, the Violent Crime Control and Law Enforcement Act of 1994.

Additionally, in the preamble to the Final Rule, the DOE republishes, “for the administrative convenience of educational agencies and institutions and other parties,” certain information and recommendations regarding the safeguarding of educational records.  These “Department Recommendations for Safeguarding Education Records” include suggested steps to take in the event of an unauthorized release or disclosure, or other breach or compromise involving, education records.

FERPA seeks to protect the privacy of education records of students, and applies to all educational institutions and agencies that receive federal funding under a federal education program. FERPA provides to parents of children under the age of 18 (and “eligible students” over the age of 18) certain rights with respect to their education records maintained by an educational institution or agency, including the right to access and copy education records.  Additionally, with certain exceptions, FERPA prohibits educational institutions and agencies from disclosing personally identifiable information (not including “directory information,” however) from education records without prior consent.  Under FERPA, “directory information” means “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” FERPA sets forth a non-exhaustive list of data elements that would be considered part of such definition.  Thus, FERPA permits an educational institution or agency to disclose “directory information” without consent, provided that such institution or agency give notice to parents and the ability to opt out of such disclosures.

For a copy of the Federal Register notice containing the Final Rules, click here.  For the Federal Register notice containing the NPRM, click here.

In Party City, the plaintiff claimed that Party City’s request for a zip code in conjunction with a credit card purchase violated the Act. The trial court agreed, granting the plaintiff summary judgment. The Court of Appeal granted a writ of mandate and overturned the trial court concluding that summary judgment should be entered for Party City. The Court of Appeal found that zip codes are not personal identification information based on the plain language of the statute. In applying a plain reading, the court first examined postal regulations to understand what zip codes encompass. The court determined that zip codes as defined by the postal service are not individualized identification criteria. Rather they are used to "provide identification of a relatively large group." Because "tens of thousands of people have the same zip code" the court concluded a zip code standing alone is not the same as an individual’s address or telephone number. The court found its interpretation bolstered by the principle that statutes that create mandatory civil liabilities should be construed in favor of the "persons sought to be subject to their operation."

This is the third California appellate decision this year taking a narrow interpretation of the Act. See here and here for blog posts on earlier appellate court decisions holding that the Act does not apply in the merchandise returns context.

In 2002, UNITE launched a drive to organize Cintas employees. A major component of the drive consisted of identifying potential legal claims against Cintas. UNITE’s plan included making house calls to Cintas employees who might be reluctant to talk to union organizers at work for fear of retaliation by Cintas management. UNITE compiled lists of names and addresses for Cintas employees using a variety of tactics. One such tactic, known as “tagging,” required union organizers to observe cars entering Cintas parking lots, record license plate numbers and access state motor vehicle records relating to those plate numbers. UNITE tagged between 1,758 and 2,005 Cintas employees.

In 2004, a group of Cintas employees who had been tagged filed a class action lawsuit in the U.S. District Court for the Eastern District of Pennsylvania alleging violations of the DPPA, which provides that a “person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains . . . .” 18 U.S.C. § 2724(a). The district court granted summary judgment in favor of ten plaintiffs and ruled that each of the plaintiffs was entitled to a liquidated damages award of $2,500, but not punitive damages. Both parties appealed.

On appeal, UNITE argued that the district court misapplied the DPPA and failed to realize that the statute allowed it to obtain and use the employees’ motor vehicle record information “in anticipation of litigation” and/or when “acting on behalf of a Federal, State or local agency in carrying out its functions.” The plaintiffs argued that they each should have been awarded punitive damages and liquidated damages in the amount of $5,000; $2,500 for the unauthorized access and $2,500 for the subsequent unauthorized use of their personal information, which they contended constituted separate violations of the DPPA.

The Third Circuit rejected UNITE’s principal argument, finding that “[b]ecause UNITE obtained and used the confidential information for an impermissible purpose – union organizing – it does not matter what other permissible purpose UNITE may have had.” The court similarly rejected UNITE’s other arguments that liquidated damages should not have been awarded absent actual damages and that liability should be contingent on proof that the union knew its actions were impermissible.

Addressing the plaintiffs’ cross-appeal, the Third Circuit agreed that an award of punitive damages may be permissible under the DPPA and remanded the case to the district court for further proceedings on the issue of damages. The court stated that “where there is a genuine issue of material fact regarding the willfulness or recklessness of a defendant’s conduct, we hold that the Seventh Amendment requires a trial by jury on the issue of punitive damages under the DPPA.” The court, however, rejected the plaintiffs’ argument that they should be entitled to $5,000 each in liquidated damages. The court noted that Congress anticipated that “in most cases, a defendant who obtained a motor vehicle record would put it to some use” and enlarging the statute’s liquidated damages award based on such use “would effectively result in a minimum award of $5,000 for every violation of the DPPA . . . .”

On June 26, 2008, in Absher v. Autozone, Inc. et al. (2008), the California Court of Appeal in the Second Appellate District, confirmed that California’s Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08 (hereinafter, the “Act”) does not apply to a refund for the return of merchandise purchased by credit card.

Under the Act, merchants who accept credit cards as a form of payment may not request or require as a condition to accepting payment by credit card the personal information of a cardholder, which information the merchant causes to be recorded upon a credit card transaction form or otherwise (such as a receipt, etc.). 

In the Absher case, plaintiff Dave Absher (who, when returning merchandise purchased from Autozone, was required to put his name and telephone number on a voucher in order to process the refund), claimed that Autozone’s practices violated the Act. In the trial court, Autozone moved for summary judgment arguing that the statute does not apply to return transactions. The trial court granted Autozone’s motion and the Court of Appeal affirmed the dismissal of plaintiff’s cause of action, holding that the Act’s restrictions are limited to initial purchase transactions and not return transactions. In particular, the court held that the legislative history behind the Act, as well as a policy interest in providing retailers with a reasonable means to safeguard against potential abuses in connection with the return of merchandise, weighed in favor of its interpretation that the Act does not apply where a merchant’s request for personal information is in connection with a refund for the return of merchandise purchased by credit card.

The outcome in this most recent case is not surprising given the court’s other recent decision, on May 22, 2008, which case involved The TJX Companies, Inc., T.J. Maxx of CA, LLC, Marshalls of CA, LLC, Marshalls of MA, Inc. and Marmaxx (collectively, “TJX”), and in which case the California Court of Appeal also narrowed the scope of claims available under the Act in ruling that the statute does not apply to merchandise returns.

Kathryn Conroy, a Summer Associated in Proskauer’s Los Angeles office, contributed to this post.

The law also requires businesses that collect Social Security numbers to create a privacy protection policy. The policy must protect the confidentiality of Social Security numbers, prohibit unlawful disclosure and limit access to them.

Unlike its counterpart in California, the Connecticut law only applies to willful violations. California also protects more categories of information. However, the Connecticut law creates a duty to safeguard personal information, whereas the California laws require only “reasonable steps” to protect or destroy personal information. 

This law is part of a broader effort in Connecticut to protect Social Security numbers; in the last two months, Connecticut has enacted three separate bills to protect Social Security numbers. The other two bills affect the use of Social Security numbers on birth certificates.

Whereas California Civil Code § 1798.84 authorizes a private right of action for California consumers injured by violations of its data security law, the new Connecticut law does not appear to create a private right of action. Instead, civil penalties are paid to the state, and the Department of Consumer Protection and other business licensing agencies share enforcement duties. 

Leslie Buoncristiani, a summer associate in Proskauer’s Los Angeles office, contributed to this post.

Definition of Personal Data

According to an earlier opinion issued by the Working Party, personal data includes an individual’s Internet search history if the individual to whom it relates is identifiable. In this most recent opinion, the Working Party found that, although IP addresses are not usually directly identifiable by search engines, the necessary data usually is available to identify the user(s) of the IP address. Therefore, unless a search engine operator can ensure “with absolute certainty” that data corresponding to users cannot be identified, it must treat all IP information as personal data.  

Scope

Article 4 of the Data Protection Directive provides that each Member State will apply its national data protection law to data processing in certain circumstances. The Working Party concluded that the Data Protection Directive applies even where a search engine company’s headquarters is outside the European Economic Area. Where the search engine service provider is not based in one of the Member States, the Data Protection Directive applies where either: (a) the search engine provider has an establishment in a Member State; or (b) the search engine makes use of equipment in the territory of a Member State. “[U]se of equipment” includes a user’s personal computer.

Thus, in the case of multi-national search engine providers:

• Those that are established in a Member State are subject to the Member State’s national data protection laws in which the search engine provider is established;

• Those that are not established in a Member State are subject to the Member States’ national data protection laws in each Member State in which the service provider makes use of equipment in the territory of that Member state for the purposes of processing personal data (e.g., the use of a cookie).

The Working Party expressly excluded from its opinion search functions on websites that were limited to searching only the website’s own domain. 

Processing of Personal Data

The Working Party Opinion found that, in general, search engines must only process personal data for legitimate purposes and the amount of data processed and/or retained must be relevant to and not excessive in respect of the purposes to be achieved by the processing. Search engine providers are “fully responsible under data protection laws for the resulting content related to the processing of personal data.” Specifics are outlined below.

Collection and Processing

The Working Party found that collection and processing of personal data must be based on at least one legitimate ground. Legitimate grounds include:

(1)   Consent of the user for the search engine provider to use specified data for a specified purpose (Data Protection Directive Art. 7(a));

(2)   Necessary for the performance of a contract (Data Protection Directive Art. 7(b)) – however, the Working Party expressly rejected any argument that users enter into a de facto contractual relationship when using services offered by a search engine provider;

(3)   Necessary for the purposes of a legitimate interest pursued by the controller (Data Protection Directive Art. 7(f)):

(a)    Service improvement – however, this is not a legitimate reason for storing data that has not been anonymized;

(b)   Systems security – however, any personal data stored for system security must be subject to a strict purpose limitation and cannot be used for any other purpose;

(c)    Fraud prevention – however, the amount of personal data stored and/or processed and the amount of time it is retained depends on whether and for how long the data is necessary for fraud detection and prevention;

(d)   Accounting – the Working Party expressed “serious doubts that personal data of search engine users are really essential for accounting purposes” and called on search engine providers to develop accounting mechanisms that are more privacy-friendly;

(e)    Personalized advertising – the Working Party expressed its “clear preference for anonymi[z]ed data”;

(f)     Law enforcement and legal requests – the Working Party recognized that search engine providers must comply with legitimate requests from law enforcement and legal orders, but noted that “compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes.”

Retention

The Working Party found as follows:

(1)   The Working Party sees no basis for a retention period of more than six (6) months in any instance and the retention period should be “no longer than necessary for the specific purposes of the processing.” Where data is retained for longer than six (6) months, a search engine provider must demonstrate that such retention “is strictly necessary for the service.”

(2)   Search engine providers must delete personal data when a legitimate purpose no longer exists; in the alternative, search engine providers may anonymize data as long as the anonymization is completely irreversible.

(3)   Search engine providers must inform users about the applicable retention policies for all types of user data they process.

Other Specific Practices

The Working Party found as follows:

(1)   Persistent cookies containing a unique user ID are personal data and should be defined to allow an improved web surfing experience and a limited cookie duration. Moreover, users must be informed about the use and effect of cookies.

(2)   Where search engine providers utilize a cache functionality, they should only retain content in a cache for the “time period necessary to address the problem of temporary inaccessibility to the website itself” – any caching period of personal data contained in indexed websites beyond this necessity of technical availability should be considered an independent republication.

(3)   Correlation of personal data across services and platforms for authenticated users can only be legitimately done based on informed consent by the user.

(4)   Search engine providers may not suggest that using their service requires a personalized account by automatically re-directing unidentified users to a sign-in form for a personalized account.

User Rights

The complaint identified five specific security failures:

• failure to adequately assess risks to the information stored on the network and in paper files,
• failure to adequately restrict access to personal information to authorized employees only,
• failure to implement a comprehensive information security program,
• failure to provide adequate training about handling and protecting personal information and responding to security incidents, and
• failure to require third-party service providers by contract to protect the security and confidentiality of personal information.

The FTC Complaint charged Goal Financial with violating the FTC Act by disseminating a false or misleading privacy policy that claimed to "implement[] reasonable and appropriate measures to protect personal information from unauthorized access." Because Goal Financial qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, the Complaint also alleged violations of the GLBA Safeguards Rule and the GLBA Privacy Rule. The Safeguards Rule allegation reflected the company's failure to identify privacy risks and design appropriate safeguards, while the Privacy Rule charge stemmed from the company's privacy policy and notices inaccurately representing the actual security of consumer information.

The public comment period on the proposed consent order runs until April 3, after which the FTC will decide whether to finalize the order.