The Third Circuit recently ruled that a labor union violated the federal Driver’s Privacy Protection Act (“DPPA”) when it accessed the motor vehicle records of Cintas employees for an improper “labor-organizing” purpose. In Pichler v. UNITE, the divided court affirmed the district court’s grant of summary judgment to the plaintiffs whose home addresses were obtained as part of the Union of Needletrades, Industrial & Textile Employees’ (“UNITE”) drive to organize Cintas employees. In reaching its conclusion, the court held that punitive damages may be awarded for violations of the DPPA. The court also concluded that the union’s assertion that it collected and used personal information from motor vehicle records for litigation — a permissible purpose under the DPPA — did not overcome the lower court’s finding that it collected and used the information for impermissible labor-organizing activities.
personal information
Another Court Affirms Narrowed Interpretation of Song-Beverly Credit Card Act
By Natalie Newman on
On June 26, 2008, in Absher v. Autozone, Inc. et al. (2008), the California Court of Appeal in the Second Appellate District, confirmed that California’s Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08 (hereinafter, the “Act”) does not apply to a refund for the return of merchandise purchased by credit card.
New Connecticut Law Threatens $500,000 Penalty for Privacy Violations
By Proskauer Rose on
On June 10, Connecticut Governor M. Jodi Rell signed into law a bill to safeguard Social Security numbers and other personal information. The law imposes a civil penalty of up to $500,000 on violators. The new law takes effect October 1, 2008.
…
European Commission Data Protection Working Party Issues Opinion on Search Engine Data Protection
By S. Montaye Sigmon on
The European Commission Article 29 Data Protection Working Party (“Working Party”) recently released its opinion on data protection issues related to search engines. The opinion specifically addresses the applicability of the Data Protection Directive (95/46/EC) and the Data Retention Directive (2006/24/EC) to the processing of personal data by search engines.
…
FTC Sets Sights on Goal: Student Lender Taken to School for Data Security Breakdowns
By Proskauer Rose on
On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.
…
In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States
By Proskauer Rose on
Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.