First CAN-SPAM Jury Conviction

On January 12, 2007, Jeffrey Brett Goodin became the first person convicted by a jury of violating the CAN-SPAM Act of 2003. Using several compromised Earthlink accounts, Goodin perpetrated a phishing scheme by sending thousands of e-mails to America Online Users and requesting personal and credit card information. He and others then used that information to make unauthorized charges on his victims’ credit cards. Goodin is scheduled to be sentenced in the Central District on June 11. He faces up to 101 years in prison.

The new year brings with it many new California privacy laws. Included are the following:

S.B. 202 – Telephone Record Pretexting

As previously reported, S.B. 202 amends Penal Code § 638 to prohibit the purchase or sale of any telephone pattern record or list without the written consent of the subscriber.

A.B. 424 – Identity Theft: Personal Information

A.B. 424 expands the definition of identity theft victim, for purposes of Penal Code §§ 530.5, 530.6 and 530.8, to include firms, associations, organizations, partnerships, businesses, trusts, companies, corporations, limited liability companies or public entities.

A.B. 618 – Financial Crime

Upon request from law enforcement agencies, banks, credit unions and savings associations must provide surveillance photos and videos of anyone accessing the financial account of a crime victim, whether such access occurred at an ATM or inside the financial institution. Government Code § 7480.

A.B. 2043 – Identity Theft and Debt Collection

This law amends Civil Code §§ 1788.2 and 1788.18 to extend to firms, associations, organizations, partnerships, business trusts, companies, corporations, and limited liability companies protections previously available to consumers to contest debts where they are victims of identity theft.

A.B. 2886 – Identity Theft Penalties

This law amends Penal Code §§ 530.5 and 530.55 to define new crimes, enhance penalties and create court procedures concerning crimes of identity theft, including: 1) penalty enhancements for repeat offenders and for those stealing the identities of ten or more people; 2) a requirement that court records reflect that the person whose identity was stolen was not responsible for the crime committed; 3) penalties for selling, transferring or conveying personal information with the knowledge that it will be used to commit identity theft or with the intent to defraud; 4) state penalty for mail theft and 5) the addition of professional or occupational number to the definition of "personal identifying information."

A number of recent developments indicate that the 110th Congress, to be seated in January, may seek to federalize data privacy laws and preempt state legislation in that area. Several data security bills were introduced in the 109th Congress; however, to date, none have passed.

Sen. Patrick Leahy of Vermont, the incoming chair of the Committee on the Judiciary, recently reiterated his commitment to enacting privacy legislation. One of Leahy’s aides noted that he expects the reintroduction of S. 1789, a bill heard by the Judiciary Committee that did not progress. In addition to creating requirements for protection of data and notification of breaches, S. 1789, at least as revised in 2005, contains the following clause: “No State may require any business entity subject to this subtitle to comply with any requirements with respect to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information.”

Senator Diane Feinstein of California, incoming chair of the Senate Committee on the Judiciary Subcommittee on Terrorism, Technology and Homeland Security, also plans to introduce legislation concerning notification of data breaches. Feinstein introduced similar legislation in 2005. That bill, which was referred to the Committee on the Judiciary, would have preempted state law only to the extent it was inconsistent.

For more on other data security bills introduced in the 109th Congress, see this Alert.

“Pretexting” is the acquisition of customer records from telecommunications carriers by fraudulent means, most commonly by pretending to be the phone customer whose information is sought. The Hewlett-Packard (“HP”) scandal, which erupted this fall and grabbed national headlines, made pretexting famous, but the practice has been a problem for years.

The issue actually came to the attention of Congress, the Federal Trade Commission (“FTC”), the Federal Communications Commission (“FCC”) and state legislatures and regulators last year when the Electronic Privacy Information Center (“EPIC”) filed a report with the FCC pointing out the existence of numerous websites advertising the sale of personal phone records.

During 2006, fifteen states, including California, passed laws banning pretexting to obtain phone records; the FTC brought enforcement actions under its unfair and deceptive trade practice authority against five online data brokers that were selling phone records; numerous state Attorneys General took action against data brokers under “little FTC Act” laws; and the FCC proposed new rules (discussed below) applicable to telecommunications carriers designed to further safeguard consumer phone records. At the beginning of the year, nearly a dozen bills addressing pretexting were introduced in Congress. The House unanimously passed H.R. 4709, the Telephone Records and Privacy Protection Act of 2006, in April, but the bill languished in the Senate throughout most of the rest of the year, gaining new life after the public revelation of HP’s pretexting in connection with its investigation of media leaks.

On December 9, 2006, the Senate approved H.R. 4709 by unanimous consent. Among other things, the statute imposes criminal liability for those who intentionally purchase or receive, or attempt to purchase or receive, customer phone records, with knowledge or reason to know that the information was obtained fraudulently. Despite criticisms of H.R. 4709 by consumer groups who object to the exception for law enforcement and who prefer the approach in other bills requiring extensive new safeguarding requirements for telecommunications carriers, the President is expected to sign the bill.

California High Court Hears Argument Regarding Invasion of Privacy Claims

On Tuesday, December 5, the California Supreme Court heard argument in the case of Taus v. Loftus, S133805. Loftus is a psychologist and UC Irvine professor who allegedly misidentified herself for the purpose of obtaining information to dispute conclusions of a case study regarding repressed memory. Loftus allegedly used public records to find Jane Doe, now identified as naval aviator Nicole Taus, the subject of a study by psychiatrist David Corwin. As a child, Taus was the subject of a child custody battle in which her father, who prevailed, claimed his daughter had been abused by her mother. Corwin interviewed Taus first as a child during her parents’ divorce, and again more than a decade later. With Taus’ consent, Corwin wrote an article in 1997 that claimed that Taus had reported abuse as a child, blocked memories of the abuse, and spontaneously recovered those memories during their subsequent interview years later. Corwin’s article identified Taus as Jane Doe.

Loftus published a two-part report in 2002 casting doubt on Corwin’s conclusions, but did not identify Taus by name. In 2003, Taus revealed her own identity when she sued Loftus, her co-author Melvin Guyer, Carol Tavris (an author of another 2002 article regarding the case), the magazine where the Loftus article appeared the Skeptical Inquirer (published by the Committee for the Scientific Investigation of Claims of the Paranormal), the University of Washington (where Loftus was employed), and Shapiro Investigations (a company that allegedly performed investigation services for Loftus). Taus’ lawsuit included claims for infliction of emotional distress, invasion of privacy, intrusion, fraud, and defamation with respect to Taus’ mental health and fitness for military duty. Taus alleged, among other things, that Loftus had obtained an interview with Taus’ former foster mother by misrepresenting that she was Corwin’s supervisor. Loftus denies that she ever made any such misrepresentation.

The case arrived at the Supreme Court on appeal from the First District Court of Appeal’s unpublished ruling in April 2005 that Taus was sufficiently likely to prove invasion of privacy against all appellants except Tavris, and defamation as alleged against Loftus, to survive an anti-SLAPP motion. Taus v. Loftus, A104689. During Tuesday’s argument, several of the Justices expressed concern regarding Loftus’ alleged misrepresentations to obtain the interview with the foster mother. Loftus argued that Taus had no expectation of privacy because she had provided consent to Corwin to publish her account and to show videotapes of the session at issue.

The case has potential implications for journalists, among others, who argue that a ruling in favor of Taus could result in lawsuits by news sources who contend, after the fact, that reporters obtained information by misrepresentation.

One update this week, and news regarding a significant new California Supreme Court decision on distributor immunity for defamatory Internet publications.

New AG Position on Prop 83

We previously reported on cases challenging recently passed Proposition 83, which increases penalties and parole terms for many sex crimes, requires felony sex offenders to wear GPS tracking devices for life, and subjects former offenders to expanded residency restrictions. Despite having taken the position on November 15 that the law does not apply retroactively, Attorney General Bill Lockyer appeared to reverse course on Monday, arguing that the measure bars all sex offenders from moving within 2,000 feet of a park or school. U.S. District Judge Jeffrey White of the Northern District of California set a hearing for February 23, 2007, extended the temporary restraining order barring law enforcement officials from evicting sex offenders now living within 2,000 of a school or park, and ordered the AG to submit briefing regarding their position after new AG Jerry Brown takes office. The AG asserted that its position had not changed; rather, it was responding to new circumstances.

Here are a couple of recent legal developments concerning the privacy implications of global positioning system (GPS) technology.

1) Not-So-Sly Fox

On November 9, Fox Rent A Car, a Phoenix-based company with locations throughout California, settled a complaint filed against it by Attorney General Bill Lockyer and the San Mateo District Attorney concerning Fox’s use of GPS to track renters’ mileage and destinations. The complaint alleged that Fox had used GPS technology (1) to track mileage in order to impose mileage fees, which directly contradicted Fox’s advertised policy of unlimited mileage; and (2) to charge customers fees for leaving the state.

Though the GPS tracking section of the complaint was based on , which forbids liquidated damage penalties of the kind Fox imposed for mileage, Fox’s actions likely also violate Civil Code § 1936(p), which prohibits rental car companies from employing “electronic surveillance devices” for the purposes of assessing fines or surcharges. That provision became effective January 1, 2005.

Under the terms of the settlement, Fox is enjoined from using GPS technology for any purpose other than tracking vehicles suspected of being lost or stolen, Fox must keep a record of each time it uses GPS telemetry and must inform renters if they use other surveillance technology. Fox will pay a total of approximately $700,000, including $200,000 in civil penalties and $89,000 in restitution to customers who incurred mileage and travel surcharges.

Posted in GPS