Earlier this year, CNIL, the French Data Protection Agency, issued a ruling that changed the confidentiality treatment accorded to employee evaluations under French law. CNIL ruled that employees must be able to review any evaluations written about them by their employers. The CNIL issued the ruling after receiving several complaints from employees of an (anonymous) multinational company, which refused to divulge the employees’ evaluations to employees upon request.

Where the only “damages” alleged following a data security breach are the costs of credit monitoring, a plaintiff has no case, so ruled the Seventh Circuit on August 23, 2007. The decision dealt another blow to so-called “identity exposure” plaintiffs seeking to recover damages stemming from the unauthorized disclosure of their personal information, as the Seventh Circuit’s ruling joined the unanimous line of lower court decisions denying recovery in the absence of actual, present harm.

In Pisciotta v. Old National Bancorp, — F.3d –, 2007 WL 2389770 (7th Cir. Aug. 23, 2007), the court ruled that “Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as compensable damages.” Id. at *6. In doing so, the Seventh Circuit joins a chorus of federal district courts that uniformly reject such costs as a form of cognizable injury sufficient to support legal claims for damages.

We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included). We also provide links, or uploaded copies, where available.

In a novel case, the Ninth Circuit ruled on July 6, as amended July 25, that government surveillance of Internet Protocol (“IP”) addresses visited, to/from addresses of emails, and the total volume of information sent to or from an email account does not violate the Fourth Amendment. United States v. Forrester, No. 05-50410, — F.3d — (9th Cir. July 6, 2007). The ruling does not affect the requirement that the government obtain a search warrant before searching the actual content of that Internet traffic.

The defendant in United States v. Forrester, Dennis Louis Alba, was charged and convicted of various federal offenses relating to the operation of an Ecstasy-manufacturing laboratory. During the government’s investigation of Alba, it installed a device on Alba’s computer that gathered the IP addresses of the websites he visited, the to/from addresses of his emails, and the total volume of information sent to or from his email account. In his appeal, Alba contended that the surveillance constituted a warrantless search in violation of the Fourth Amendment and fell outside of the then-applicable pen register statute. The Ninth Circuit addressed the merits of Alba’s first contention, but found it unnecessary to address the second.

The Ninth Circuit applied the Supreme Court’s analysis in Smith v. Maryland, 442 U.S. 735 (1979), in which the Court held that a pen register does not constitute a Fourth Amendment search. The Court so held because pen registers merely track phone numbers dialed and do not reveal the actual contents of conversations. Cf. Katz v. United States, 289 U.S. 347 (1967) (holding that one can have legitimate expectation of privacy in the contents of one’s phone conversations).  The Ninth Circuit reasoned that the government’s surveillance of Alba’s activity was “constitutionally indistinguishable” from surveillance via a pen register because accessing IP addresses involves the transmission and receipt of a unique identifier, which does not reveal actual content, via the third-party equipment of an internet service provider.  An Internet user therefore does not have a legitimate expectation of privacy in the IP addresses he or she accesses.

Balancing privacy and evidentiary interests in a stock option backdating matter, the Northern District of California held on June 11, 2007 that the SEC’s interest in obtaining banking account information of defendant Gregory Reyes, ex-CEO of Brocade Communications, outweighs Reyes’ financial history privacy interests. SEC v. Reyes, No. C 06-04435 CRB (N.D. Cal. 2007).