The European Data Protection Supervisor (EDPS) has come out in favor of the EU enacting data security breach notification laws.

The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good data protection practices within the EU, both by monitoring the EU administration’s own data processing, as well as by commenting on pending legislation.

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer’s personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

My very first blog post addressed a precedent-setting decision of the Central District of California holding that federal agents could not conduct a border search of the private and personal information stored on a traveler’s computer hard drive or electronic storage devices without reasonable suspicion. Eighteen months later, the Ninth Circuit has squarely reversed that decision. In a short opinion filed April 21, 2008, Judge O’Scannlain wrote in U.S. v. Arnold, No. 06-50581, that “reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border.” As far as the Ninth Circuit is concerned, for purposes of border searches under the Fourth Amendment, laptops and other electronic storage devices are not so much like a home or the human mind – they are more akin to luggage or a car.

The European Commission Article 29 Data Protection Working Party (“Working Party”) recently released its opinion on data protection issues related to search engines. The opinion specifically addresses the applicability of the Data Protection Directive (95/46/EC) and the Data Retention Directive (2006/24/EC) to the processing of personal data by search engines.

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and appropriate security for consumer information. In addition to implementing a comprehensive security program, TJX will be required to obtain periodic security audits to provide reasonable assurances that personal information is being adequately protected.

Website Operator Can Be Held Liable for State Intellectual Property Violations

A federal district court in New Hampshire recently ruled that Section 230 of the Communications Decency Act of 1996 (“CDA”) does not prevent a state law right of publicity claim against a Website operator. In Doe v. Friendfinder Network, Inc., No. 07-286, 2008 WL 803947 (D.N.H. March 27, 2008), a profile of the plaintiff, including a nude photo and biographical information, was posted by an unknown third party on AdultFriendFinder.com, an online swingers community, without the plaintiff’s knowledge or consent. The plaintiff asserted eight claims against the Website for, among other things, invasion of privacy (including violation of her right of publicity), defamation and false designation in violation of the Lanham Act. On the site’s motion to dismiss, the district court found that all of plaintiff’s claims were barred by the CDA, except her false designation and right of publicity claims. In so holding, the district court challenged and criticized a recent Ninth Circuit decision regarding the CDA’s immunity.