Privacy Law Blog
Subscribe to all posts by Proskauer Rose

90210 Gets Personal: California Supreme Court Rules that ZIP Codes are “Personal Identification Information”

By Proskauer Rose on Posted in California
Yesterday, the California Supreme Court held that ZIP codes are "personal identification information" within the meaning of the state's Song Beverly Credit Card Act. The court's decision in Pineda v. Williams-Sonoma Stores, Inc., No. S178241 slip op. (Cal. Feb. 10, 2011), casts a dark cloud over the established retail practice of asking for ZIP codes when customers make brick-and-mortar purchases using a credit card and essentially reverses the Court of Appeal's decision in Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008). In addition to some heated debate, the Pineda decision is likely to generate a healthy number of lawsuits against California retailers. … Continue Reading

Glacially Expedient? Vermont Attorney General Settles with HealthNet for Failure to Timely Notify State Residents of Data Breach

By Proskauer Rose on Posted in Data Breaches
On January 18, 2011, Vermont Attorney General William Sorrell announced a settlement with HealthNet, Inc. and Health Net of the Northeast, Inc. over allegations that the company violated the state's data breach notification law when the company waited over six months to notify state residents of the loss of a portable hard drive that contained their unencrypted personal information. The Attorney General's settlement is an important reminder that the unpleasantness of a security breach is only compounded by a poor response. If you have not already done so, the time for establishing a comprehensive breach response plan is now! … Continue Reading

Please Ignore the Intrusion, We Just Have a Few Questions to Ask: Supreme Court Validates Background Checks for Government Contractors

By Proskauer Rose on Posted in Workplace Privacy
On January 19, 2011, the U.S. Supreme Court held that the federal government has broad latitude to conduct background checks on contractors who work at government facilities. Assuming, without deciding, that two parts of a standard government employment background investigation implicated a constitutional privacy interest, the Court held that the government is permitted to ask reasonable employment-related questions that further the government's interests in managing its internal operations, particularly where the results of such investigations are adequately protected from public disclosure. … Continue Reading

California Supreme Court: Law Enforcement Officials May Search Cellular Phones Incident To Arrest

By Proskauer Rose on Posted in Fourth Amendment
On Monday, the California Supreme Court ruled that the Fourth Amendment to the United States Constitution did not prohibit a deputy sheriff from conducting a warrantless, post-arrest search of the text messages of an arrestee. Specifically, the Court affirmed the decision of the Court of Appeal that the cell phone was “immediately associated with [defendant’s] person … Continue Reading

Superiority Beats Enormity: 9th Circuit Rejects Denial of FACTA Class Certification Based on Disproportionality of Damages

By Proskauer Rose on Posted in Financial Privacy
In a decision filed September 27, 2010, the U.S. Court of Appeals for the Ninth Circuit reversed a California district court's refusal to certify a class action alleging violations of the Fair and Accurate Credit Transactions Act ("FACTA"). The Ninth Circuit ruled that none of the three grounds advanced below - the disproportionality between the potential liability and the actual harm suffered, the enormity of the potential damages, or the defendant's good faith compliance with FACTA after being sued - justified denying class certification on superiority grounds. The Ninth Circuit's decision narrows, if not eliminates, the potential for disagreement among district courts on an issue that has for some time been a fly in the ointment for class action plaintiffs (and their attorneys) hoping for big paydays on account of harmless technical violations of FACTA. … Continue Reading

Can I ask you a personal question? What is your computer’s IP address?

By Proskauer Rose on Posted in International
In a September 8, 2010 opinion, Switzerland's highest court announced that Internet Protocol (IP) addresses are personal information protected by the country's data protection laws. The Swiss Federal Supreme Court's ruling in In re Logistep AG, BGer, No. 1C-285/2009, 1C_295/2009, 9/8/10, adds to the longstanding debate over whether such information is personal information despite the fact that a single IP address can be attributed to more than one computer user. While the debate is far from over, the Logistep decision makes clear that businesses collecting information about individuals' Internet activities, particularly those with operations in Europe, must treat IP addresses with care, as they may be protected by privacy laws in some jurisdictions. … Continue Reading

Proskauer Litigators Notch Another Victory for The Bank of New York Mellon in “Identity Exposure” Lawsuit

By Proskauer Rose on Posted in Data Breaches
On June 25, 2010, Judge Richard Berman of the U.S. District Court of the Southern District of New York granted summary judgment to The Bank of New York Mellon Corp. in Hammond v. The Bank of New York Mellon Corp., dismissing in its entirety a putative class action lawsuit arising from the loss of backup tapes containing personal information in the spring of 2008. Judge Berman's dismissal represents yet another in a long, and still growing, line of cases standing for the proposition that without more, the mere exposure of personal information is not an adequate basis for a lawsuit. … Continue Reading

No Question about Quon: U.S. Supreme Court Unanimous in Overturning Ninth Circuit

By Proskauer Rose on Posted in Electronic Communications, Workplace Privacy
In an important decision for employers, the U.S. Supreme Court unanimously overturned a decision by the U.S. Court of Appeals for the Ninth Circuit in a case involving an employee's assertion that a government employer had violated the Fourth Amendment by unreasonably obtaining and reviewing personal text messages sent and received on employer-issued pagers. The decision, a victory for employers, provides helpful guidance for management of electronic communication systems and workplace searches. Read this alert to learn more about the decision and how it may affect you. … Continue Reading

Geez Ruiz: 9th Circuit (Probably) Ends Long-standing Data Breach Litigation Against Gap, Inc. and Others

By Proskauer Rose on Posted in Data Breaches
On May 28, 2010, in an unpublished decision, the U.S. Court of Appeals for the Ninth Circuit affirmed the California district court's dismissal of a class action lawsuit against retailer Gap, Inc. because, among other things, the plaintiff failed to show that the loss of his personal information harmed him in a legally cognizable way. The Ninth Circuit's decision echoes those issued in every "identity exposure" lawsuit to date: an increased risk of identity theft does not a lawsuit make! … Continue Reading

Everybody Likes Free Stuff: Draft Privacy Legislation Seeks To Enhance Consumer Protections Without Disrupting Ad-Supported Internet Business Model

By Proskauer Rose on Posted in Data Privacy Laws
A draft Congressional bill released Tuesday, May 3 aims enhance consumer privacy protections both online and offline and establish a national framework for the collection, use and security of consumer information, superseding state law requirements regarding the collection, use and disclosure of the information it covers. The draft legislation, sponsored by Congressmen Rick Boucher (D, Va.) and Cliff Stearns (R, Fla.), recognizes the importance of online advertising in supporting free online content and services and attempts to extend privacy protections without disruption of this business model. … Continue Reading

Robocalling. Easy. Doing it right? Maybe not so much . . .

By Proskauer Rose on Posted in Direct Marketing
On April 27, 2010, the Federal Trade Commission announced separate settlements with women's clothing retailer Talbots and its telemarketer SmartReply, Inc. for violations of the Telemarketing Sales Rule ("TSR"). The FTC alleged that SmartReply's robocalls for Talbots did not allow consumers to opt out of future calls until they had listened to almost all of the prerecorded solicitation or failed to provide opt out instructions; did not immediately disconnect consumers that chose to opt out; and failed to notify live call recipients of their right to opt out at any time during the call. … Continue Reading

Bellwether or Bust? Washington Governor Signs Payment Card Data Breach Liability Provisions Into Law

By Proskauer Rose on Posted in Financial Privacy
On March 22, 2010, Washington Governor Christine Gregoire signed H.B. 1149 into law, making her state the second behind Minnesota to hold businesses and governmental entities responsible to financial institutions for certain costs arising from payment card information breaches. As of July 1, entities that process more than 6 million credit or debit card transactions annually who fail to reasonably safeguard card information can be required to reimburse financial institutions for the costs related to the re-issuance of cards as well as attorneys fees and costs in the event that a security breach involving payment card information is a proximate result. … Continue Reading

New Jersey’s High Court Ruling Reaffirms Employer’s Right To Monitor and Restrict Computer Use

By Proskauer Rose on Posted in Workplace Privacy
In a continuation of the Stengart v. Loving Care Agency case we wrote about in August 2009, the New Jersey Supreme Court ruled on March 30, 2010 that emails sent by an employee from a company laptop via a web-based email account (Yahoo!) to her attorney were protected from disclosure by the attorney-client privilege. In reaching this conclusion, the Court also ruled and provided insight on a far broader and more practical issue for employers -- namely, how to draft enforceable computer usage policies and/or make existing policies more effective. … Continue Reading

EU Article 29 Working Party Clarifies Definitions of “Data Controller” and “Data Processor”

By Proskauer Rose on Posted in European Union
On February 16, 2010, the EU Article 29 Working Party published Opinion 1/2010, in which it clarified the definitions of "data controller" and "data processor" as those designations are used within the European Data Protection Directive. The Working Party's opinion is welcome guidance, as such designations are often difficult to apply in practice, especially given the increasing complexity of globalization, organizational differentiation, and information and communication technologies. … Continue Reading

Life Unlocked? FTC and 35 State Attorneys General Ding LifeLock, Inc. for Deceptive Claims and Poor Data Security

By Proskauer Rose on Posted in FTC Enforcement
On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. which resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. In the words of FTC Chairman Jon Leibowitz, "While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it." … Continue Reading
LexBlog