Data Privacy Monitor

Video Interview: Discussing Lessons in the Viacom/YouTube Suit on LXBN TV

Admin — Mon, 14 May 2012 13:36:24 -0500

Posted by Admin

A little while back I wrote on the lessons companies can learn from Viacom's massive suit against YouTube for copyright infringement. Just last week I had the opportunity to go back on LXBN TV with Colin O'Keefe to discuss the content of that post. In the short interview, found below, I explain the background of the case, lessons companies can learn and who those companies might be.

DPPA Does Not Prohibit Bulk Obtainment of Motor Vehicle Records

Erica Gann Kitaev — Mon, 07 May 2012 12:15:04 -0500

Posted by Erica Gann Kitaev

The Sixth Circuit Court of Appeals has upheld the dismissal of a purported class action lawsuit brought under the federal Driver's Privacy Protection Act, 18 U.S.C. § 2127, et. seq. (“DPPA”).

Plaintiffs’ claims in Wiles v. Ascom Transport System, Inc., Case No. 11-5342, were based on the bulk obtainment of personal information from Kentucky motor vehicle records. Named plaintiffs, all residents of Kentucky, brought the proposed class action suit against defendant Ascom, and others, claiming that the DPPA and their common law right to privacy were violated by Ascom’s purchase, use, and reselling of personal information contained in their motor vehicle records without a permissible purpose under the act.

In December 2010, the U.S. District Court for the Western District of Kentucky ruled that the bulk purchase of motor vehicle records without a "specific need for every record" does not violate the DPPA, a ruling which ultimately resulted in the dismissal of the action in its entirety in February 2010 on motion of Ascom. Plaintiffs appealed to the Sixth Circuit.

On April 30, 2012, in an opinion written by Lawrence P. Zatkoff, a U.S. district judge sitting by designation, the Sixth Circuit affirmed the lower court’s ruling. Plaintiffs’ claim relied on the premise that Ascom did not have a permissible purpose or use in mind for each and every individual record at the time that it purchased the motor vehicle records in bulk. The court thus framed the issue as whether or not the “bulk obtainment of such records for the purpose of ‘stockpiling’ such records violates the DPPA.” The court held that it did not.

Citing to cases from the Fifth, Seventh, and Eight Circuits, as well as its own recent opinion in Roth v. Guzman, 650 F.3d 603, the court noted that the plaintiffs did not cite to any authority that would support the conclusion the DPPA limits disclosure of personal information to one individual at a time or requires immediate use of the information. Rather, the court found, “the legislative history (of the DPPA) clearly establishes that Congress did not intend to alter the traditional method of bulk disclosures by states, subject to the express limitations set forth in the DPPA." Moreover, the court held that obtaining personal information solely for the purpose of reselling it is permitted by the DPPA if the information will be used by the buyer only for permitted purposes.

As to the common law privacy claim, the court held that it failed as a matter of law because plaintiffs had no reasonable expectation of privacy in the personal information contained in the records, nor did they allege that Ascom disclosed, or caused to be disclosed, their personal information to the public.

The opinion may be read here.

Online Calendar Paves Way for $100,000 HIPAA Settlement

Lynn Sessions — Wed, 02 May 2012 16:13:19 -0500

Posted by Lynn Sessions

Phoenix Cardiac Surgery recently entered into a $100,000 settlement with the U.S. Department of Health & Human Services (HHS) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement is the result of an investigation by the HHS Office for Civil Rights (OCR) after it received a complaint that Phoenix Cardiac Surgery had a publically available online calendar that included clinical and surgical appointments for its patients. The OCR investigation further revealed that the practice's HIPAA compliance was deficient in several other aspects, including implementation of policies and procedures to safeguard patient information, documentation of training employees on policies and procedures related to the Privacy and Security Rules, identification of a security official, completion of a risk analysis and failing to obtain business associate agreements for vendors of e-mail and calendar services that included storage of and access to electronic protected health information. In addition to the monetary settlement, Phoenix Cardiac Surgery will be required to take corrective action by implementing policies and procedures to safeguard its patients' protected health information with oversight by HHS.

Read the full announcement.

Article: "What Can Management Do to Protect the Organization from Inappropriate Use of Social Media?"

Craig Hoffman — Tue, 24 Apr 2012 16:37:55 -0500

Posted by Craig Hoffman

Baker Hostetler Partner Dan Guttman published “What Can Management Do to Protect the Organization from Inappropriate Use of Social Media?” in the winter 2012 issue of OHPELRA Update, the labor and employee relations trade publication covering all Ohio’s public employers.

In the article, Mr. Guttman notes that although social media outlets, including Facebook and LinkedIn, provide employers with new and growing opportunities for communication as well as for recruiting and hiring new talent, the use of social media by organizations and their employees also presents numerous challenges and risks, both in terms of efficiency and legal liability.

He also warns employers to proceed with caution and suggests organizations create a social media policy to identify and mitigate their potential sources of legal liability without hampering social media’s potential benefits to the company. He provides several guidelines consistent with federal and state law to consider and encourages employers to consult legal counsel to formulate a custom tailored social media policy to address their specific needs and their legal environment.

Maryland First to Enact Social Media Ban

Craig Hoffman — Fri, 20 Apr 2012 14:52:24 -0500

Posted by Craig Hoffman

Although it may not be a widespread practice among employers, asking employees or job applicants to provide passwords or access rights to social media accounts (e.g. Facebook or Twitter) has gained national attention and has been widely criticized by advocacy groups and politicians. While members of Congress are evaluating ways to prohibit the practice, Maryland became the first state to enact legislation prohibiting employers from requesting or requiring an employee or applicant to disclose any user name, password or other means for accessing a personal account. The law also prohibits employers from taking or threatening disciplinary action or refusing to hire a job applicant for refusal to disclose such information. The new law becomes effective on October 1, 2012.

The issue began gaining attention in Maryland when the Maryland ACLU filed a complaint after correction officer job applicants were asked to give their Facebook user name and password to the Maryland Department of Public Safety and Correctional Services. While the stated purpose of the state agency's practice was to check for gang affiliations, the agency rejected seven applicants based on the information it obtained and later decided to drop its requirement. The Maryland ACLU claimed the practice was illegal under the Stored Communications Act (SCA), which generally prohibits unauthorized access to electronic communications stored at an electronic communications service provider. Specifically, a violation of the SCA is committed by anyone who: "(1) intentionally accesses without authorization a facility through which an electronic communication service is provided;" or "(2) intentionally exceeds an authorization to access that facility; and thereby obtains...[an] electronic communication while it is in electronic storage in such system." 18 U.S.C. § 2701(a)(1)-(2). If employees or applicants consent and authorize the employer to access their social media accounts (and it is still an open issue as to whether the SCA applies to stored content in social media), there would be no violation. Thus, the Maryland ACLU argued that a "forced authorization" was not a valid authorization under the SCA.

Other states are following in Maryland's footsteps, with proposed similar legislation in Washington, California, Illinois, Michigan, New Jersey and New York. The Michigan proposal would impose both criminal and civil penalties if a violation occurs, with the criminal penalty constituting a misdemeanor, punishable by imprisonment for no more than 93 days, a fine of $1,000, or both. The New York bill would impose a civil penalty of $300 for the first violation and $500 for each subsequent violation. The California bill, which also would prohibit colleges and universities from requesting social media usernames and passwords from students, was approved by a California Senate committee on April 18.

Social media sites have also been vocal about their disdain for the controversial employment practice. On March 23, Facebook issued a statement on its blog: "If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends. We have worked really hard at Facebook to give you the tools to control who sees your information." The Facebook Terms of Service prohibit users from soliciting login information, accessing accounts belonging to someone else, sharing passwords or otherwise jeopardizing the security of their accounts.

Though Maryland is the only state to have enacted a law addressing this issue, employers across the board should be wary of requesting applicant and employee social media credentials. Information gained from employee social media sites, such as race, sex, age, disability, sexual orientation, religion or national origin, may put employers in a more precarious position and increase the risk of liability associated with making hiring, firing or promotional decisions.

If you have any questions about social media and employment law, please contact any member of Baker Hostetler's Employment and Labor or Privacy, Security and Social Media Teams.

Authorship Credit: Craig A. Hoffman, Jennifer D. Johnson and Daniel J. Guttman

US Supreme Court Finds that Mental and Emotional Distress are not "Actual Damages" under the Privacy Act

Kimberly M. Wong — Fri, 20 Apr 2012 11:42:16 -0500

Posted by Kimberly M. Wong

In privacy litigation, the majority of the federal courts have required demonstration of a certain tangible, provable harm before granting damage awards to plaintiffs claiming a violation of their privacy. The Supreme Court’s recent decision in Federal Aviation Administration et al. v. Stanmore Cawthon Cooper, case number 10-1024, is no different. In the Court’s March 28, 2012 5-3 decision, the Court held that mental and emotional distress are not actual damages under the Privacy Act of 1974, 5 U.S.C. §552, limiting the recovery plaintiffs can obtain under the statute to “actual damages” of pecuniary harm. The Court focused on the sovereign immunity doctrine and statutory interpretation in determining that the civil remedies provision of the Privacy Act allows for “actual damages” consisting only of pecuniary harm. The Court also acknowledged that because the term “actual damages” has a “chameleon-like quality,” an all-purpose definition cannot be relied upon, and that the term must be considered in the particular context in which it appears.

Under the Privacy Act, federal agencies are prohibited from sharing information about individuals without express consent. The civil remedies provision of the Privacy Act provides that for any act of an agency that is intentional or willful, the United States shall be liable for “actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recover receive less than the sum of $1,000.” 5 U.S.C. §552a(g)(4)(A).

The remedial provision of the Privacy Act was previously addressed by the Supreme Court in Doe v. Chao, 540 U.S. 614 (2004), where the Court held that the remedial provision of the Privacy Act authorized a plaintiff to recover a guaranteed minimum award of $1,000 for violation of the Act, but only if an “actual damage” was proven. Id. at 620, 627. While not addressing the meaning of “actual damages,” the Court in Doe observed that the Privacy Act’s remedial provision was similar to the remedial scheme for common law torts of libel and slander – under which a plaintiff can recover “general damages” only if he/she is able to prove “special harm” (also known as “special damages”), which is limited to actual pecuniary loss which must be expressly plead and proven. Id. at 622, n. 5, 625, 627, n. 12. The Court in Doe, noting that a circuit split existed at the time, left open the definition of what qualified as “actual damages.” Id. at 627, n. 12.

In the 2007 case plaintiff filed against the Federal Aviation Administration, the Social Security Administration and the U.S. Department of Transportation, Cooper, a pilot, claimed that the agencies, in violation of the Privacy Act of 1974, during a joint investigation into potential medical fraud by pilots, had improperly shared information about his HIV-positive status. Cooper had kept his HIV status undisclosed for years, and his pilot license was revoked when the information was disclosed during the joint agency investigation in 2005. Cooper eventually was recertified as a pilot upon his application for recertification. Cooper sought recovery under the Privacy Act for “humiliation, embarrassment, mental anguish, fear of ostracism, and other severe emotional distress.” Cooper failed to allege any pecuniary or economic loss.

The Supreme Court’s holding in FAA v. Cooper reverses the Ninth Circuit’s February 2010 ruling that “actual damages” under the Privacy Act, unambiguously defined, allows for recovery of both pecuniary injuries and emotional damages. The Ninth Circuit’s decision reversed the California district court’s 2008 decision, grounded in the principles of sovereign immunity, that the Privacy Act does not authorize the recovery of damages from the government for nonpecuniary mental or emotional harm.

While the decision in FAA v. Cooper specifically addresses actual damages under the Privacy Act, the Court’s analysis of the definition of “actual damages” is notable in the context of privacy litigation generally. An upholding of the Ninth Circuit’s decision would have allowed plaintiffs to pursue monetary damages for emotional distress in privacy litigation where plaintiffs claim a loss of privacy, including data breach cases, where pecuniary loss as a result of data breach is difficult to prove.

Update to Cybersecurity / Data Breach Notification Legislative Outlook

William J. Weber — Wed, 18 Apr 2012 10:50:32 -0500

Posted by William J. Weber

Congress is back from a two week Easter recess and despite lingering concerns from privacy groups, House leaders plan to bring to the floor for votes one or more cybersecurity bills designed to protect the nation’s critical infrastructure – from power plants to financial markets – by encouraging information sharing about cyber threats between the government and private business. The bills could be considered as early as next week.

House Intelligence Committee Chairman Mike Rogers (R-MI) has been working over the recess to address concerns of privacy advocates about his Cyber Intelligence Sharing and Protection Act, H.R. 3523. In recent redrafts, the bill has been revised to include data minimization language to reduce the amount of detailed information businesses would share with the government. Further, the bill now eliminates references to theft of IP that raised concerns similar to the anti-piracy/anti-counterfeiting bills that withered in the face opposition earlier this year (SOPA/PIPA, S. 968/H.R. 3261). It would also now allow lawsuits against the government for intentional or willful improper disclosure of personal data that’s been collected. (Note: the above link to the April 16 discussion draft which incorporates amendments adopted at markup (in green) and new potential amendments under consideration (in yellow for changes from the April 12, 2012 draft and in blue for new changes in this draft).)

However, opposition to a communications monitoring provision in Rogers’ bill continues from a coalition of privacy and civil liberties groups that fear the language is too vague and would allow companies to share user data with the government without a court order. The Electronic Frontier Foundation is leading a twitter campaign against “CISPA” this week using the hashtags #CongressTMI and #CISPA. Other groups are concerned about provisions that would cut off FOIA access to information companies share with the government. More about their concerns can be found here and here.

Business groups are also weighing in on cybersecurity this week. A coalition of 26 associations wrote House leaders today urging them to focus on several policy principles without endorsing or opposing any of the bills. The organizations range from the American Chemistry Council to the Real Estate Roundtable and they want Congress to take a “nonregulatory step forward” on cybersecurity by improving liability protections, strengthening cyber R&D, reforming FISMA, educating the public, and supporting public-private collaboration. Read the full letter.

Another House bill that could come up next week is the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness or “PRECISE” Act, H.R. 3674, which would define DHS’ roles and responsibilities and create a private, not-for-profit organization to facilitate best practices, provide technical assistance, and enable the sharing of cyberthreat information. The bill was approved by the Homeland Security Committee yesterday on a 16-13 party line vote. Democrats said the scaled-back bill doesn't establish DHS as the lead cybersecurity agency. Read Rep. Lungren’s (R-CA) revised bill.

Also approved separately yesterday by the Oversight and Government Reform Committee, by voice vote, was the Federal Information Security Amendments Act, H.R. 4257, which would require federal agencies to continuously monitor government IT systems and perform regular threat assessments.

A fourth bill that the House could vote on next week is the Cybersecurity Enhancement Act, H.R. 2096, intended to improve cybersecurity R&D and technical standards. It was approved last fall by the House Science, Space, and Technology Committee. The same committee also recently approved H.R. 3834, which overhauls policies for funding R&D in unclassified computing, networking and information technology, including cybersecurity, and could also be considered next week.

A sixth bill, the SECURE IT Act of 2012, H.R. 4263, was recently introduced as the House companion to Sen. McCain’s alternative cybersecurity bill (S. 2151), but has yet to see committee action and is unlikely to come to the House floor next week.

House Commerce, Manufacturing, and Trade Subcommittee Chairwoman Mary Bono Mack has expressed her desire to bring up her data breach notification measure, the SAFE Data Act, H.R. 2577, during the cybersecurity debate, but odds are slim that it could garner enough support to hitch a ride on cybersecurity legislation. Several of her colleagues are not on board that such legislation is necessary, despite continuing reports of data breaches.

On the Senate side, the primary bill, the Cybersecurity Act, S. 2105, which would establish minimum security standards that certain companies must meet, remains stalled while the bipartisan sponsors work to address Republican concerns with the bill, described in a February 15, 2012, post. If one or more of the House bills advance next week, the Senate could act on cybersecurity in May. The outlook for data breach notification legislation on the Senate side also remains doubtful, though work continues at the staff level.

Lessons Learned from the Second Circuit's Reinstatement of Copyright Suit Against YouTube

Gerald Ferguson — Fri, 06 Apr 2012 14:23:51 -0500

Posted by Gerald Ferguson

The Social Media revolution is built on two legal foundations – the Digital Millennium Copyright Act (“DMCA”) which generally protects websites that host user generated content from copyright claims, and the Communications Decency Act, which generally protects such websites from claims based on the publication of defamatory or other illegal content. The Second Circuit sent shockwaves through one of those foundations – the DMCA – by issuing a decision yesterday that reinstated copyright claims made against YouTube based upon videos posted on the YouTube site by users. While the direct implications of this suit for YouTube may be minimal -- YouTube has stated that the suit on remand only involves a handful of videos that were eliminated many years ago -- the decision should be taken as a warning by any website hosting user generated content.

In March 2007 Viacom International Inc. (“Viacom”) filed suit against YouTube, Inc. alleging copyright infringement of the content of the company’s television programs and movies which were displayed on YouTube’s popular website. Many other copyright owners joined the suit. Following a long line of decisions that have insulated website operators from copyright suits based on content posted on the site by users, District Judge Stanton dismissed the complaint, citing the protections offered by the DMCA. Yesterday, April 5, 2012 the Second Circuit upheld most of Judge Stanton’s decision but remanded specific issues for trial.

The Second Circuit’s decision minimizes the level of protection service providers recently enjoyed under the DCMA against copyright claims. In the earlier decision of this matter, the district court was presented evidence that surveys by YouTube employees showed that many of the videos on the site might be the result of potential copyright infringement. The court, however, found that such knowledge constituted only generalized knowledge of possible infringement and not specific type that fell outside of the protection of the DMCA. However, Judge Stanton did not consider the willful blindness doctrine, which would assess whether YouTube made a “deliberate effort to avoid guilty knowledge” of specific infringing activity on its website.

In reversing part of the district court’s decision, the Second Circuit ruled that a trier of fact may apply this doctrine “to demonstrate knowledge or awareness of specific instances of infringement under the DCMA” in order to determine whether YouTube should receive protection under the act.

The good news for a host of user generated content is that the Second Circuit affirmed that the DMCA does provide broad protection for hosts of user generated content. Specifically, the Second Circuit affirmed the following protections provided by the DMCA:

The website operator still must have knowledge or awareness of “specific and identifiable infringements.”
A host of user generated content has no duty to moderate the site or seek out specific infringing activity.
A host of user generated content is not subject to liability under vicarious infringement principals merely because it has the ability to block content.

The following activities by the host of user generate content were specifically found to be protected by the DMCA: “transcoding content” (converting it to another format); playing back content at user’s requests; and providing for the automated indexing of content.

But in reinstating part of the case for trial, and by directing the district court to make factual findings on specific issues, the Second Circuit identified conduct that could place any host of user generated content at risk of losing the safe harbor protection of the DMCA:

Communications by employees which suggest awareness that specific content posted by users is infringing.
Activities which a jury might view as attempts to avoid knowledge that content posted by users is infringing.
Syndicating or licensing user generated content to third parties.

While the DMCA remains alive and well after the Second Circuit’s Viacom decision, the hosts of user generated content should not assume that they are insulated from liability just because they are complying with the formal procedures established by the DMCA for the removal of infringing user generated content from websites. The host of any user generated content should review their practices and procedures in light of the “issue of fact” identified by the Second Circuit’s Viacom decision, to ensure that they are minimizing the risk of copyright liability for the acts of others.

Authorship credit: Gerald Ferguson & Peter Brown

Video Interview: Discussing the Potential Impact of the FTC's "Do Not Track" Initiatives on Premium Online Content with LXBN TV

Gerald Ferguson — Tue, 03 Apr 2012 14:09:13 -0500

Posted by Gerald Ferguson

This week Gerald Ferguson, National Co-Leader of the Baker Hostetler Privacy Security and Social Media Team had the opportunity to speak with Colin O'Keefe of LXBN TV on the subject of a post from last week: "FTC's "Do Not Track" Initiative Could Create New Market for "Paid For" Internet Content." In the post, Mr. Ferguson discussed the potential for the FTC's new "Do Not Track" initiatives to create a new market for paid-for online content. In the interview with O'Keefe, I explained what "Do Not Track" is, the technology at play and how it could change the market for premium online content.

FTC Issues Final Report with Guidance on Companies' Online Privacy Practices

Craig Hoffman — Tue, 03 Apr 2012 09:14:11 -0500

Posted by Craig Hoffman

Fifteen months after releasing its preliminary report, the Federal Trade Commission released its final Report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers.” The much anticipated final report went further than the preliminary report by now calling for Congress to enact general privacy, data security and breach notification, and data broker legislation in addition to advocating that companies self-regulate by adopting the best practices set forth in the FTC’s privacy framework. The mix of baseline privacy legislation and industry self-regulation tracks the Obama administration’s white paper recommendations for a “privacy bill of rights” and industry codes of conduct enforced by the FTC.

The three prongs of the FTC’s recommended “best practices” to protect consumers’ private information are:

1) Privacy by Design—building in privacy at every stage of product development;

2) Simplified Choice—simplifying consumers’ and businesses’ ability to make choices about their information, such as through a “Do Not Track” mechanism; and

3) Greater Transparency—improving transparency in and consumer access to data collection and use policies.

In response to over 450 public comments to its preliminary report, which are heavily cited throughout the final report, the FTC altered some of its previous recommendations. First, the FTC recognized the burden faced by small businesses in meeting the FTC’s recommendations. Thus, the final framework does not apply to companies that collect non-sensitive data from fewer than 5,000 customers per year. Additionally, in response to concern that data can be “reasonably linked” to consumers, and computers or devices, the Commission clarified that data is not “reasonably linked” where a company takes reasonable measures to ensure data is de-identified, publicly commits to not trying to identify data, and contractually prohibits downstream recipients from trying to re-identify the data.

Secondly, while the FTC previously proposed a list of five “commonly accepted” information collection and use practices, many commentators were concerned these practices could stifle innovation. In response, the new guidelines state companies do not need to provide choice before collecting and using consumer data for practices consistent with the transaction, the company’s relationship with the consumer, or as required by law. Thirdly, the Commission now recommends that any legislation addressing the practices of information brokers include procedures for consumers to access and dispute personal data held by information brokers.

The final report summarized the enforcement actions brought by the FTC since it issued the preliminary report, highlighting enforcement priorities that involve website privacy policies and practices, online behavioral advertising, COPPA, FCRA, and data security. The FTC also identified five key areas it plans to focus its policymaking efforts on in the next year to promote the implementation of its privacy framework:

Do Not Track—implementing an easy-to-use, persistent, and effective Do Not Track system;
Mobile—improving privacy protections through short, meaningful disclosures;
Data Brokers—supporting targeted legislation that would require data brokers to create a centralized website that would identify brokers to consumers and detail access rights and choices consumers have;
Large Platform Providers—exploring issues related to comprehensive tracking of online activities by ISPs, operating systems, browsers, and social media; and
Promoting Enforceable Self-Regulatory Codes—working with the Department of Commerce and industry stakeholders to develop sector-specific codes of conduct, with the carrot that compliance with such codes will be viewed favorably by the FTC when it comes to enforcement.

The FTC cautioned that, to the extent the framework exceeds existing legal requirements, it is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC. However, expect to see the principles of the privacy framework continue to appear as requirements of consent orders the FTC enters into to resolve the enforcement actions it brings. Indeed, the FTC did just that the day after releasing its final report when it announced that it had entered into a proposed settlement agreement with social game site operator RockYou (prior coverage here) to resolve the FTC’s claims that RockYou failed to protect the privacy of its users when hackers gained access to the user names and passwords of 32 million users and violated COPPA by collecting information from 179,000 children.

Authorship Credit: Craig A. Hoffman & Jennifer D. Johnson