Proskauer Rose

Subscribe to Proskauer Rose's Posts
Contact:Read more about Proskauer Rose

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer’s personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

My very first blog post addressed a precedent-setting decision of the Central District of California holding that federal agents could not conduct a border search of the private and personal information stored on a traveler’s computer hard drive or electronic storage devices without reasonable suspicion. Eighteen months later, the Ninth Circuit has squarely reversed that decision. In a short opinion filed April 21, 2008, Judge O’Scannlain wrote in U.S. v. Arnold, No. 06-50581, that “reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border.” As far as the Ninth Circuit is concerned, for purposes of border searches under the Fourth Amendment, laptops and other electronic storage devices are not so much like a home or the human mind – they are more akin to luggage or a car.

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and appropriate security for consumer information. In addition to implementing a comprehensive security program, TJX will be required to obtain periodic security audits to provide reasonable assurances that personal information is being adequately protected.

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

The ongoing debate over online behavioral targeting is significant not only because such targeting enables consumers to receive ads that are more relevant and useful to them, but as the FTC has recognized, restrictions that inhibit companies’ ability to obtain advertising revenue may fundamentally affect the ability of the Internet to continue to offer valuable content for free.

On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.

The Southern District of Florida has held that the Fair Credit Reporting Act (FACTA), applies to both electronic receipts from online purchases and receipts printed in stores. In Grabein v. 1-800-Flowers.com, Inc., 07-22235-CIV, 2008 WL 343179 (S.D. Fla. Jan. 29, 2008), Plaintiff filed a class action lawsuit after he used a credit card to purchase flowers through Defendant’s website and received a receipt that contained both Plaintiff’s truncated credit card number and the card’s expiration date. Plaintiff alleged that printing both pieces of information violated FACTA, which provides:

No person that accepts credit cards or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction. 15 U.S.C. § 1681c(g).