Kristen J. Mathews

Subscribe to Kristen J. Mathews's Posts

Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them?  How could that be, you ask?  Because Texas said so.  (Does that surprise you?)

Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Texas’s amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota). 

If the European Commission has anything to say about it, starting about 18 months from now companies will have to start obtaining consent from Web site visitors to place cookies on their computers.

Last week, the European Parliament approved amendments to Europe’s e-Privacy Directive (see page 76, item 5) requiring, among other things, that operators of Web sites obtain a user’s consent before placing a cookie on the user’s computer.  “Cookies” are digital files that are routinely placed on a user’s computer when they visit a Web site.  These files are used for many purposes, including to save a user’s name and password so they can be pre-populated in a Web site’s log-in page; to enable Web sites to engage in behavioral marketing by displaying ads that are keyed to a user’s browsing history; to enable Web sites to perform analyses of the demographics of the site’s visitors and what areas of the site are most popular; and to save the contents of a user’s online shopping cart.

A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.”  Should mere contact information be afforded greater protection?

One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone numbers) had been compromised. A class action law suit quickly followed, and the third settlement attempt was rejected just recently by the court on the grounds that, in the judge’s view, it provided an inadequate remedy for the affected consumers.