Imagine a website that allows people to post comments or content anonymously, to protect their privacy. Pretty common. Now imagine that the website assists the poster through an interactive online questionnaire seeking specific categories of information. Under a new ruling of the Ninth Circuit, the anonymous poster who provides the information may escape detection and liability, while the website operator may be held responsible. This is a big change in the law of website operator immunity.

On April 26, 2007, New York Attorney General Andrew Cuomo announced that his office entered into a settlement with CS STARS LLC for violating the state’s Information Security Breach and Notification Law, which is codified at N.Y. Gen. Bus. Law § 899-aa. Cuomo’s office targeted CS STARS for delaying, for seven weeks, the issuance of legally required notification regarding the theft of a computer which contained the personal information of approximately 540,000 worker’s compensation recipients.

On April 9, 2007, the California Court of Appeal, Second Appellate District, affirmed a ruling of the Los Angeles Superior Court permitting the disclosure to counsel for a putative class of the names, addresses, and telephone numbers of the defendant’s current and former employees unless, following proper opt-out notice, they objected in writing to the disclosure.

Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements.  In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779.  That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers.  The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.  

Dubai recently became the first Arab nation to enact a substantial Data Protection Law (DIFC Law No. 1 of 2007) that aims to protect the personal information of its citizens.  In a statement announcing the new law, Dubai called the enactment “pioneering in the region” and an examination of the law reveals that the description is rightly deserved.   The new law will have immediate implications for companies operating in Dubai (and especially those companies that transfer data from one office to another), such as Halliburton, the giant energy company, which recently announced that it is moving its global headquarters from Texas to Dubai.

Last week, a panel of the Ninth Circuit Court of Appeals held that in the absence of an announced monitoring policy, the mere act of connecting a computer to a network does not extinguish a user’s reasonable expectation of privacy, under the Fourth Amendment, in the contents of his or her computer. The panel announced its holding in United States v. Jerome T. Heckenkamp, Nos. 05-10322 and 05-10323 (9th Cir. April 5, 2007), wherein it upheld the introduction of evidence obtained by University of Wisconsin employees through remote and direct access of a student computer attached to a university network. Although it recognized the defendant’s reasonable expectation of privacy, the panel upheld the lower court’s admission of evidence under the judicially-created “special needs” exception to the Fourth Amendment because the alleged hacking posed an immediate threat to the university network and the searches were not conducted for a law enforcement purpose.   

The protection of Social Security numbers (SSNs) from identity thieves has emerged as a hot news topic in the past few weeks. In California, it was revealed that, for the past three years, the Secretary of State’s office has been selling in bulk electronic UCC filings containing SSNs. Those filings were available to the public on the Secretary’s website, so that lenders and creditors could verify the availability of personal property used as collateral. Approximately one-third of the state’s two million UCC filings contained SSNs. Secretary of State Debra Bowen immediately shut off web-based access to the UCC filings and took down the offending part of the website.