Privacy Law Blog

This Advertisement is Brought to You By...You

Robert D. Forbes — Mon, 01 Feb 2010 15:26:58 -0500

A new advertising icon was released last week by a privacy advocacy group in conjunction with a group of advertisers and agencies as part of an effort to educate consumers about behavioral advertising and head off federal regulation.

The “Power I” icon was released last Wednesday by the Future of Privacy Forum (“FPF”), a privacy policy think tank, along with a research report on the potential efficacy of icons and phrases in providing notice to consumers. The icon was developed in collaboration with advertising holding company WPP and input from ad industry leaders and privacy advocates.

The “Power I” icon is meant to be added to online advertisements that are targeted based on consumer data. When consumers click on the icon, they would be directed to a page containing information about how the delivery of the advertisement is influenced by the consumer’s browsing history and demographic info.

Although no advertisers are under any legal requirement to adopt the “Power I” icon, there is a consensus among industry leaders that greater self-regulation is necessary to ward off government intervention. In July, a consortium of cross-industry trade groups released their "Self-Regulatory Principles for Online Advertising," which included principles relating to increased notice to consumers regarding behavioral advertising and a major campaign to educate consumers about online behavioral advertising.

The debate over data gathering and behavioral advertising has grown more vocal over the past year. Congress held hearings on the subject in June 2009 in which executives from Facebook, Google and Yahoo were called to testify. In February 2009, the Federal Trade Commission (“FTC”) released a report which noted a number of consumer benefits of behavioral advertising but which warned that greater disclosure to consumers regarding data collection practices may be necessary – especially in light of the length and complexity of privacy policies posted on most companies’ websites.

Will regulators deem the new icon sufficient to warn consumers that certain advertisements are targeted based on the consumer’s behavioral data? Stay tuned to find out!

2009 Ponemon Institute "Cost of a Data Breach" Study Released

Natalie Newman — Fri, 29 Jan 2010 16:27:27 -0500

This past week, the Ponemon Institute announced their publication of the results of their fifth annual study on the costs of data breaches for U.S.-based companies. The study was sponsored by the PGP Corporation. A similar report for U.K.-based companies was also released. This year's report, entitled 2009 Annual Study: Cost of a Data Breach, displays the results of the Ponemon Institute's research of data breach incidents occurring in 2009.

Overall, as with previous years, the study found that U.S. organizations continue to experience increased costs associated with the data breaches they experience.

The 2009 U.S. study surveyed 45 U.S. companies covering 15 various industry sectors, with the top represented industries including the financial, retail, services and healthcare industries. The size of the breaches experienced by companies surveyed ranged from approximately 5,000 compromised records to approximately 101,000 compromised records, with a cost range of approximately $750,000 up to nearly $31 million.

This year’s study revealed that the average per-record cost of the data breaches experienced by the surveyed organizations was in 2009 $204, which is just $2 more than the average per-record cost in 2008 (click here for the Privacy Blog’s posting on the Ponemon Institute’s 2008 Study), but represented a $66 dollar overall increase since 2005, the first year the Ponemon Institute conducted this same study, when the average per-record cost was $138.

The costs of a data breach include both direct costs (such as communications costs, investigations and forensics costs and legal costs) and indirect costs (such as lost business, public relations costs and new customer acquisition costs), and the study found that some industries experience a higher customer churn rate (i.e., lost business) than others. The industries with the highest customer churn rates in 2009 were the pharmaceutical, healthcare, communications, financial services and services industries.

The study also revealed a variety of primary causes of data breaches experienced by the surveyed companies, including, for example, that:

42% of all breaches studied involved errors made by, or compromises otherwise incurred while a company’s data is in the possession or control of, a third party.
36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices. Interestingly, the study found that the per-record cost of a data breach involving a stolen laptop or mobile device was just over $224, whereas the per-record cost of a data breach not involving a stolen laptop or mobile device was only around $192.
24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).
82% of all breaches studied involved organizations that had experienced more than one data breach involving the compromise of more than 1,000 records containing personal information.

This study can serve as an incredibly useful tool for companies to understand the full scope of potential costs of a data breach (including both direct and indirect costs) and in performing a cost-benefit analysis of the costs of implementing pre-breach, prophylactic measures (such as policies, training, encryption of sensitive information and other security), versus the potential costs of experiencing and dealing with the aftermath of a breach that could have been avoided, or at least mitigated.

District Court Rules TCPA Applies to Text Messages Even Though Recipient Not Charged to Receive the Message

Andrew Hoffman — Fri, 22 Jan 2010 14:45:43 -0500

The U.S. District Court for the Northern District of Illinois recently ruled that a plaintiff may maintain a suit for receiving an unsolicited Short Message Service (“SMS”) text message under the Telephone Consumer Protection Act (TCPA) of 1991, even though the plaintiff was not actually charged for receiving the message. In Abbas v. Selling Source, LLC, No. 09-CV-3413 (N.D. Ill. Dec. 14, 2009), Judge Joan B. Gottschall noted that in enacting the TCPA, “Congress was just as concerned with consumers’ privacy rights and the nuisances of telemarketing” as it was with cost-shifting of communications addressed by the TCPA. Judge Gottschall continued to state that “[a]utomated calls invade privacy and pose nuisances regardless of whether the called party is charged for the call, and so congressional intent is furthered by the TCPA’s application to both charged and uncharged calls.”

In the putative class action lawsuit, the plaintiff alleged that Selling Source sent him and others like him SMS text messages in violation of the TCPA. In pertinent part, the TCPA prohibits a person from making a call, other than a call made for emergency purposes or with the prior express consent of the recipient using any automatic telephone dialing system or an artificial or prerecorded voice. Selling Source moved to dismiss the complaint for the failure to state a claim upon which relief can be granted, alleging, amongst other things, that the TCPA does not apply to SMS text messages because SMS text messages are not a “call” within the meaning of the statute and that the plaintiff failed to demonstrate that he was charged for the text message he allegedly received.

The trial court noted that the meaning of “call” as used in the TCPA was ambiguous, but concluded that the meaning of “call” includes text messages. In reaching its conclusion, the court relied in part on the Ninth Circuit’s decision in Satterfield v. Simon & Schuster, Inc., 569 F.3d 946, 954 (9th Cir. 2009), which noted that “text messaging is a form of communication used primarily between telephones,” and in part on the FCC’s own interpretation of the TCPA such that it applies to text messages. The court also held that a person does not need to be charged to receive the text message to maintain a suit under the TCPA. The court rejected Selling Source’s argument that the TCPA could not apply to text messages because the statute was enacted before the advent of text messaging. Although the trial court dismissed the complaint because of the plaintiff’s failure to meet the federal pleading requirements, the court granted the plaintiff leave to amend to correct the pleading deficiencies.

French Supreme Court Limits the Scope of the Whistleblowing Processes

Cecile Martin — Fri, 22 Jan 2010 12:15:42 -0500

The implementation of codes of conduct and whistleblowing systems is expanding at the international level. Global companies must pay attention to local law requirements when rolling out these codes in foreign countries, in order notably to comply with the rules and regulations provided by the local data protection authorities to govern data processing.

A recent decision rendered on December 8, 2009, by the French Supreme Court provides a good illustration of issues that may be raised by local laws in the implementation of whistleblowing procedures abroad.

For the first time the French Supreme Court addressed the issue of the validity of a Code of Conducts that had been implemented by a listed company (Dassault Systèmes, a French Software company) in order to comply with the Sarbanes Oxley act.

By its decision, The French Supreme Court overruled the decision of the Court of Appeal, which had declared the whistleblowing system implemented by the Code of Conduct of Dassault Systèmes compliant with the French data protection authority (CNIL) and therefore legal.

In a landmark decision rendered in 2005, the CNIL considered that the broad and anonymous whistleblowing procedures of several companies, including the McDonald’s Company, that had been adopted in order to implement the requirements of the Sarbanes-Oxley Act, were contrary to French law and in particular to the French data protection law of January 6, 1978. The CNIL held that it had no fundamental objection to that kind of system, but it expressed the opinion that whistleblowing processes should not be transformed into an organized system of professional denouncement which may jeopardize the employees’ individual rights.

In order to reach a compromise between SOX requirements and French law provisions, the CNIL issued a Deliberation on December 8, 2005. The Deliberation states that the companies are authorized to roll out their whistleblowing systems provided they formally disclose the existence of the system and they comply with the requirements of the CNIL’s Deliberation. In particular, article 1 of the Deliberation provides that only the whistleblowing systems implemented in response to French legislative or regulatory internal control requirements or the whistleblowing requirements of the Sarbanes-Oxley Act in areas such as finance, accounting, banking and anti-bribery, may be covered by this Deliberation. Article 3 of the Deliberation provides that facts which are not included in these cores areas may be covered by the whistleblowing system if the vital interest of the company or the physical or mental integrity of its members is threatened.

If the scope of the whistleblowing process exceeds the CNIL’s Deliberation, the company is under the obligation to enter into a heavy process with the CNIL consisting in detailing the information collected, their recipients, the end-purpose of the data processing… and to get formal authorization of the CNIL. So far, the CNIL has never given its authorization when the scope of the whistleblowing system exceeds its Deliberation.

In the case at hand, Dassault had implemented a whistleblowing system under the Deliberation and a trade union challenged the validity of the system on the ground that the company should have sought a formal authorization from the CNIL because its scope exceeded the auditing and financial matters.

The Supreme Court ruled that the scope of the Code of conduct was too broad in that employees may report any breach of the Code relating to finance, accounting and anti- corruption areas but also any breach in others matters to the extent that it could threaten the vital interests of Dassault or the physical or moral integrity of an individual employee (intellectual property rights, confidentiality, conflict of interest, discrimination, sexual or psychological harassment).

The Court adopted a very narrow reading of the CNIL Deliberation because it came to the conclusion that the whistleblowing system could not be introduced under the Deliberation for a purpose other than those mentioned under the article 1 of the CNIL Deliberation.

In other words the whistleblowing system that would cover other breaches of the Code of Conduct should be authorized specifically by the CNIL on a case by case basis. Even though these breaches are material and may threaten the vital interest of the company or the physical or mental integrity of its members.

Last but not least the Supreme Court also found that Dassault’s Code of Business Conduct did not expressly mention that the individuals had a right of access to the information reported, and a right of rectification where the information is not correct.

As from a practical point of view, there is a strong likelihood that the CNIL refuses to grant an authorization for a whistleblowing system exceeding the scope of the CNIL’s Deliberation, it seems that now companies should restrict their whistleblowing systems to the core areas mentioned in the CNIL’s decision of December 8, 2005 to avoid their process be considered as invalid.

Northern District of Illinois Foreshadows Tough Row[e] to Hoe for Identity Exposure Plaintiff, but Denies Motion to Dismiss

Brendon Tavelli — Fri, 15 Jan 2010 09:38:56 -0500

On January 5, 2010, Judge William Hibbler of the U.S. District Court for the Northern District of Illinois became the latest federal district judge to share his views about whether an increased risk of future harm based on the inadvertent exposure of personal information is a legally cognizable harm. In Rowe v. UniCare Life & Health Insurance Co., No. 1:09-cv-2286 (N.D. Ill. Jan. 5, 2010), Judge Hibbler denied the defendant’s motion to dismiss for failure to state a claim because, in his view, after drawing all reasonable inferences in the plaintiff’s favor, the plaintiff’s complaint satisfied the minimal pleading standard required to survive a motion to dismiss. Nevertheless, in his written opinion, Judge Hibbler hinted that the plaintiff’s claims for violations of the Fair Credit Reporting Act (“FCRA”) and the Illinois Insurance Information and Privacy Act, as well as his common law claims of invasion of privacy, negligence and breach of implied contract, may ultimately be dismissed if the plaintiff failed to show a basis for damages other than his alleged increased risk of future harm, such as identity theft.

In April 2008, UniCare informed some members of its health insurance plans that some of their personal information was temporarily accessible to the public on the Internet. In response to UniCare’s notice, the plaintiff sued alleging that UniCare’s inadvertent disclosure of his personal information harmed him in the following ways: created anxiety and emotional distress, increased his risk of identity theft, forced him to spend time and money monitoring his credit, compromised his possessory rights in his information and invaded his privacy. UniCare then filed a motion to dismiss the complaint which focused chiefly on the plaintiff’s failure to allege that any unauthorized person actually viewed the inadvertently exposed information.

At the outset of the opinion, noting that at the motion to dismiss stage disclosure to a third party could be inferred from the plaintiff’s complaint, the court ruled that UniCare’s inadvertent disclosure might constitute a “communication” of consumer report information and thus refused to dismiss the plaintiff’s FCRA claims. The court then examined the plaintiff’s remaining claims – all of which, according to UniCare, required a showing of damages to state a valid cause of action – in relation to the various harms plaintiff claimed to have suffered due to the disclosure of his information. In each instance, the court found that even though the evidence might ultimately not support the plaintiff’s theories of damage, drawing all inferences in the plaintiff’s favor as the court must on a motion to dismiss, his complaint satisfied the liberal pleading standard set forth in the Federal Rules of Civil Procedure.

But Judge Hibbler did make clear that the Illinois Supreme Court’s decision in Williams v. Manchester, 229 Ill. 2d 404 (2008), ruled out the possibility that “the exposure of personal information might be the present injury providing the basis for recovery of damages for increased risk of future harm.” Rather, as Judge Hibbler stated, “Rowe may collect damages based on the increased risk of future harm he incurred, but only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.” Moreover, while the court did not find the Seventh Circuit’s reasoning in Pisciotta v. Old National Bancorp (see our blog post here) entirely persuasive, the court held that “the costs of credit monitoring services are not a present harm in and of themselves.”

Though some might view this decision as a victory for plaintiffs and their lawyers, it also further illustrates the level of judicial skepticism toward “identity theft exposure” claims and makes it even more difficult for plaintiffs to argue that an increased risk of harm based on the exposure of personal information, without more, is a harm that the law should recognize.

District Court Rules E-mail Order Confirmations Not Subject to FACTA

Kevin Khurana — Wed, 13 Jan 2010 09:30:47 -0500

We have written several times about courts (and Congress) helping to define the scope and applicability of certain provisions of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act. One provision that has been frequently litigated, 15 U.S.C. § 1681c(g), involves FACTA’s so-called truncation requirements for printed transaction receipts. On December 2, 2009, in Shlahtichman v. 1-800 Contacts, Inc., 2009 U.S. Dist. LEXIS 112379 (N.D. Ill. Dec. 2, 2009), Judge John W. Darrah of the Northern District of Illinois Eastern Division held that FACTA’s prohibition against the electronic printing of a debit or credit card’s expiration date on receipts was inapplicable to e-mail order confirmations (decision available here).

FACTA’s truncation requirements, 15 U.S.C. § 1681c(g), prohibit the “electronic printing” of any receipt at “the point of the sale or transaction” that contains the expiration date of a consumer’s credit or debit card or more than the last five digits of the credit or debit card account number. It is clear that this prohibition applies to hard copy receipts provided to consumers, but reported decisions regarding the applicability of FACTA to electronically displayed receipts are inconsistent in their holdings. Compare Grabein v. 1-800-Flowers.com, Inc., No. 07-22235 (S.D. Fla. Jan. 29, 2008) with Meehan v. Buffalo Wild Wings Inc., No. 07C4562 (N.D. Ill. Feb. 26, 2008). Nonetheless, many judges have held that FACTA does not apply to online receipts (see, for example, the Smith v. Zazzle.com case reported here). On December 2, Judge Darrah joined them.

In Shlahtichman, an electronic order confirmation containing plaintiff’s credit card expiration date was e-mailed to plaintiff after he placed an order through defendant’s website. The plaintiff alleged that this “receipt” violated FACTA’s truncation requirements. Judge Darrah, in coming to his conclusion, relied on the plain meaning of the word “print” and determined that under FACTA, an e-mail order confirmation is not an “electronically printed” receipt because “‘print’ is not commonly understood as a display on a computer screen.” Shlahtichman, 2009 U.S. Dist. LEXIS 112379, at *7 (citing Grabein v. Jupiterimages, 2008 WL 2704451, at *6 (S.D. Fla. 2008)). Judge Darrah also held that an e-mail order confirmation is not subject to FACTA because an e-mail is not provided “at the point of sale or transaction” due to the fact that an e-mail can be accessed from anywhere in the world. Id.

EU Article 29 Working Party Elevates Israel to Rank of Select Few Countries That Are Deemed to Possess "Adequate" Data Protection Laws

Jeremy Mittman — Mon, 11 Jan 2010 22:53:34 -0500

On January 5, 2010, the EU Article 29 Data Protection Working Party published an opinion finding that Israel provides an "adequate" level of data protection under the EU Data Protection Directive. Should the European Commission ("EC") adopt the Article 29 Working Party’s recommendation (and there is no reason to think that it would not), Israel will join the ranks of the select few countries that the EU has deemed to have an "adequate" level of data protection, such as Argentina, Canada, and Switzerland (notably, the United States is not on this list).

A determination that Israel provides an adequate level of protection means that a company transferring personal data from the EU to Israel does not need to enter into the "model contractual clauses" that the EC has ratified with an Israeli data importer, or develop "binding corporate rules" to transfer EU personal data.

The Article 29 Working Party analyzed Israel’s data privacy framework, with particular emphasis on the Israeli Privacy Protection Act ("PPA"). It found that the PPA provided data subjects with sufficient rights to access their personal data and avenues to rectify it if they believed it to be erroneous. The Article 29 Working Party also concluded that in several places where the statutory language of the PPA fell short of the rights provided under the EU Data Protection Directive, Israeli courts had developed a robust body of case law that had interpreted the PPA to provide for the protection of the privacy rights of data subjects.

Israel is not the only country whose privacy laws the Article 29 Working Party recently found to have an adequate level of protection; on January 5, it also published an opinion finding that Andorra satisfied the EU’s stringent requirements.

Netflix Sued for "Largest Voluntary Privacy Breach To Date"

Natalie Newman — Mon, 28 Dec 2009 14:45:28 -0500

On December 17, 2009, a class action suit was filed against online movie rental giant, Netflix, Inc., in the United States District Court for the Northern District of California. Plaintiffs in the suit are claiming that Netflix has “perpetrated the largest voluntary privacy breach to date.”

According to the Complaint, Netflix knowingly and voluntarily disclosed the sensitive and personal information of approximately 480,000 Netflix subscribers when Netflix provided participants in a contest initiated to improve Netflix’s movie recommendation systems with data sets containing over 100 million subscriber movie ratings and preferences. Netflix has claimed that the data sets provided to the contest participants were anonymized and that the subscribers’ movie ratings were accompanied only by “a numeric identifier unique to the subscriber” (as opposed to the subscriber’s name or other personal information). However, the complaint sites the results of several researchers who, in fact, were able to crack Netflix’s anonymization process and identify individual subscribers.

Plaintiffs argue this disclosure constitutes a sever invasion of their privacy by Netflix, which violates, among other things, the Video Privacy Protection Act of 1988 (18 U.S.C. 2710 (2002)). Additionally, the lead plaintiff in this case, Jane Doe, claims that Netflix’s disclosure of her movie rental history and ratings has and/or will “identify or permit inference of her sexual orientation… [which… ] would negatively affect her ability to pursue her livelihood and support her family, and would hinder her and her children’ ability to live peaceful lives within Plaintiff Doe’s community.”

The Video Privacy Protection Act (the “Act”) was originally enacted in 1998 (in response to a public disclosure of a Supreme Court nominee, Robert Bork’s, video rental history), and, according to the Electronic Privacy Information Center, while not often invoked, the Act “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”

The Act prohibits, with certain exceptions, any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)). The Act defines a “video tape service provider” as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials…” and “personally identifiable information” as including “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider” (18 U.S.C. 2710(a)).

In addition to violating this prohibition on the disclosure of personally identifiable information, the Plaintiffs in Doe v. Netflix also allege that Netflix violated another provision of the Act, which requires that a video tape service provider “destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected” (18 U.S.C. 2710(e)).

The Plaintiffs are demanding relief in the form of (among other things) statutory damages, actual damages, punitive damages, injunctive relief, disgorgement of wrongfully obtained profits and revenues, and attorneys’ fees.

In addition to the Act, a number of states, including California, have also enacted similar video privacy laws. In addition to the Act and other laws, the Complaint alleges that Netflix has violated the California Customer Records Act (CA Civil Code 1798.80).

Facebook Simplified Its Privacy Policy, But Has Anyone Noticed?

Robert D. Forbes — Thu, 17 Dec 2009 11:37:19 -0500

The blogosphere has been abuzz lately about Facebook’s new privacy settings, but lost amid all the noise is Facebook’s implementation of a new user-friendly privacy policy.

For those who haven’t been paying attention (or who haven’t logged on to Facebook lately), Facebook’s 350 million users are being asked to refine their privacy settings with a new software tool that allows users to dictate who has access to each category of content the user uploads to the website. Critics have slammed the updated privacy settings in large part because of certain personal information that is deemed public to all Facebook members: your name, city, gender, photograph, your lists of friends and “fan” pages, and networks to which you belong. Facebook is also being criticized for the default privacy settings, which would allow a user’s status updates and other content to be shared with anyone on the internet. On December 17, 2009, the Electronic Privacy Information Center ("E.P.I.C."), joined by nine other privacy and consumer organizations, filed a complaint with the Federal Trade Commission asking for an investigation into these changes, which the complaint describes as "unfair and deceptive trade practices."

Lost amid this public outcry is Facebook’s recent move to a more user-friendly privacy policy. To comply with California’s Online Privacy Protection Act, operators of websites or online services that gather “personally identifying information” must conspicuously post their privacy policies online. This policy must (1) identify the personally identifying information the site or service collects and with whom it shares that information, (2) describe any available process by which a user may review and/or request changes to the personally identifiable information collected, (3) describe the process by which the site or service notifies users of material changes to its privacy policy, and (4) identify the policy’s effective date.

The problem with most privacy policies designed to comply with California’s law is that, generally speaking, privacy policies are dense and full of legalese. In the context of the federal Gramm-Leach-Bliley Act (“GLBA”), regulators have recognized that hard to read privacy policies are not helpful to consumers, and have taken steps to encourage more user-friendly privacy policies. (See our November 20 post regarding GLBA privacy notices here.) Facebook has responded to these concerns by adopting a completely rewritten privacy policy designed to make its policy more accessible and easier to understand.

For example, Facebook’s new policy includes a bullet point summary of key points at the beginning of the policy followed by section headings that allow users to jump to particular areas of the policy. Complex legal terms have been replaced throughout the policy by more basic language, with hyperlinks to pages containing more detail on key terms or issues. On Facebook’s company blog post detailing the new policy (available here), the company commits to adding additional definitions of key terms, screen shots of important pages, and “learn more” video content.

It isn’t hyperbole to say that Facebook’s privacy policies are subject to more public critique and impassioned criticism than any other in history. Regardless of your position on Facebook’s new default privacy settings, Facebook’s revised privacy policy is a step towards providing its users with clarity regarding how the information its users share is gathered and used. More importantly, the move toward a simpler online privacy policy is likely a sign of things to come in the Internet business community.

Data Breach Class Action Fails - Court Dismisses Securities Fraud Case Against Heartland

Scott J. Carpenter — Wed, 16 Dec 2009 15:08:52 -0500

On December 7, 2009, a federal district court sitting in New Jersey dismissed a securities fraud class action lawsuit against Heartland Payment Systems arising from a massive breach of credit and debit card information and, in doing so, reinforced the difficulties private plaintiffs face in bringing data breach lawsuits under the federal securities laws.

Back in December 2007, hackers attacked Heartland’s computer network – specifically the company’s payroll manager system. During 2008, Heartland worked to prevent theft of data from that system. Unbeknownst to Heartland’s personnel, however, the attack spread to the payroll processing system, from which hackers stole data regarding approximately 130 million credit and debit cards. It was not until January 2009 that Heartland discovered and publicly disclosed the breach, ultimately causing Heartland’s stock to suffer a significant decline in value.

Plaintiffs in In re Heartland Payments Systems, Inc. Securities Litigation claimed that Heartland and two of its executives made misleading statements about the breach and the nature of Heartland’s data security measures in violation of the Securities Exchange Act. In particular, plaintiffs alleged that during a February 13, 2008 earnings conference call, Heartland executives concealed the attack by indicating that large fourth quarter data security expenditures were not prompted by any particular security incident. As to that statement, the court found that the attack occurred “far too late in the quarter to have been the cause for the million-plus expenditure” and, thus, was not misleading. Also, during that February 2008 call, Heartland’s CFO stated that the company did not experience a security incident “that would put [Heartland] in a TJ Maxx position,” referencing the then-largest credit card data breach. Plaintiffs argued that this statement was false and misleading given the attack on Heartland’s systems; however, the court judged that, as of February 2008, hackers had not stolen any credit card information as was the case with TJ Maxx. Accordingly, the court ruled that the CFO’s statement was truthful.

In addition, turning to Heartland’s 2007 annual report and a November 2008 earnings call, plaintiffs alleged that Heartland misrepresented the condition of Heartland’s data security. According to plaintiffs, the annual report misrepresented that Heartland placed “significant emphasis on maintaining a high level of security.” And, during the November 2008 call, Heartland’s CEO allegedly made misleading statements when he discussed a rise in encryption standards and talked about the company’s need to improve its data security measures. The federal district court, however, disagreed with plaintiffs. The court found that the statements made in Heartland’s annual report and during the November 2008 call were not inconsistent with the fact that the company was the victim of hackers. Moreover, the court held that Heartland was not obligated to disclose the initial December 2007 attack. While plaintiffs may not have purchased Heartland shares had they known of the attack, “there is no general duty on the part of issuers to disclose every material fact to investors.”

You can read the court’s entire opinion here.

Special Radio Report: Oncidi Talks Privacy in the Workplace

Brendon Tavelli — Fri, 11 Dec 2009 10:51:30 -0500

There is an inherent tension between an employee's right to privacy and an employer's right -- and obligation -- to maintain a safe, productive, and hostility free environment at the office. The California business community is perhaps all too familiar with this conflict. Article I, section 1 of the California Constitution guarantees all California residents a right to privacy, including in some instances in their capacity as employees. A patchwork quilt of statutes, regulations and common law decisions also carves out certain areas to which a right of privacy may attach. But these rights must be balanced against an employer's business needs and legal responsibilities.

Click here to listen to Proskauer partner Anthony Oncidi talk about privacy in the workplace with Mari Frank, the host of KUCI's Privacy Piracy radio show.

Why All the Fuss about Reading an Employee's Emails?

Brendon Tavelli — Thu, 10 Dec 2009 11:55:22 -0500

Lately we've been writing a lot about employers, and their ability to read their employees' e-mails. From New Jersey, to Idaho, to France, this is a hot topic and we are following new developments in this area closely. To read Proskauer partner Katharine Parker's take on the issues, please take a look at her comments to the Wall Street Journal, published on November 19, 2009.

French Employers Can Open Files Located on a Company-Issued Computer Provided That They Are Not Clearly Identified As Personal

Cecile Martin — Thu, 10 Dec 2009 05:32:30 -0500

By a decision of October 21, 2009 (n°07-43877), the French Supreme Court ruled that files created by an employee on a computer issued by his employer for work purposes were presumed professional unless the employee identified them clearly as personal. This being said, the Court concluded that the employer was entitled to open these files in the employee’s absence and without having informed the employee in advance.

In this case, the employee was suspected by his employer to have competed unfairly with the employer’s business. To investigate these suspicions, the employer requested a bailiff to seek evidence from the employee’s work computer. In order to prevent the employee from erasing the evidence, the employer did not alert the employee that his work computer would be examined.

During his examination of the computer, the bailiff noticed that the computer contained a folder titled with the employee’s initials and, within it, two sub-files, one titled “personal,” the other titled with the name of the employer’s competitor. The bailiff only opened the second sub-file, titled with the name of the competitor, where he found evidence that the employee had engaged in unfair competition against the employer.

Supported by an affidavit of the bailiff, the employee was terminated for gross fault, i.e., without any indemnity. Thereafter, the employee initiated a lawsuit against the employer for violation of his privacy.

The Court of appeals found that the bailiff should not have opened the folder titled with the employee’s initials without first informing the employee or without the employee being present.

Until this case, the case law was unclear on whether folders or files located on an employee’s work computer but titled with the employee’s name or initials would be afforded privacy protection under workplace privacy laws. However in this ruling, the French Supreme Court made clear that all files created by an employee on an employer’s computer belong to the employer unless they are expressly identified as personal. By adopting this position, the French Supreme Court was consistent with the French Data Protection Agency (CNIL) which, since 2002, has advised that employees should be cautious when using their work computers for personal purposes.

This decision is most helpful in that it clearly informed French companies of the privacy rules that apply to folders and files that employees store on their work computers. If the employee has clearly identified the files as personal, the employer has no choice but to either obtain the employee’s prior consent before opening the files, or to go before a Court to get a Court injunction allowing the employer to open the files.

Attorney-Client Privilege Waived by Imputed Knowledge of Employee And Employee's Attorney of Employer E-Mail Monitoring

Jeff Neuburger — Fri, 04 Dec 2009 16:34:47 -0500

In August, we wrote about the ruling of a New Jersey appellate court in Stengart v. Loving Care Agency, Inc., in which the court took a very narrow view of the ability of employers to monitor the e-mail communications of employees over its computer networks. In that case, which is now on appeal to the New Jersey Supreme Court, the appellate court held that an employee did not waive her attorney-client privilege with respect to e-mails that she sent to her attorney while using the employer's computer network, but via her personal Web mail account, despite the existence of a broadly worded communications policy giving the employer the right to access all communications occurring over its network. The appellate court court ruled that even if the employer's policy applied to the employee (she disputed its applicability), the employer's right to access to such communications pursuant to that policy was limited by the employer's "legitimate business interests." Such interests did not extend, the court concluded, to the employee's communications with her attorney.

In contrast to the New Jersey court's narrow view of the applicability of such policies, the district court judge in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held that knowledge of employer monitoring of employee communications over its network could be imputed, not only to the employee but to the employee's attorney as well. As a result, the court held, the attorney-client privilege had been waived with respect to messages sent by the employee to the attorney using her employer-assigned e-mail account, and to messages sent to the employee at her employer e-mail address by the attorney.

With respect to the employee's knowledge of such monitoring, the court commented that it was “unreasonable for any employee in this technological age -- and particularly an employee [who received actual notice of such monitoring] -- to believe that her e-mails, sent directly from her company's e-mail address over its computers, would not be stored by the company and made available for retrieval.” The court further found that knowledge of such monitoring could be imputed to the employee's attorney with respect to messages that he sent to the employee because the e-mail address to which he sent the messages “clearly” put him on notice that he was sending to the employee's work address. The court commented that workplace e-mail monitoring “is so ubiquitous that [the attorney] should have been aware that the [employer] would be monitoring, accessing, and retrieving e-mails sent to that address.”

Interestingly, despite having concluded that workplace monitoring of e-mail communications is so ubiquituous as to put the employee and her attorney on notice that it was occurring, the court found that communications sent to the employee by other clients of the attorney in the multi-party litigation did retain their privileged status, because there was no evidence that the other clients knew or should have known of the workplace monitoring. In contrast to the employee and the parties' attorney, the court commented, “laypersons are simply not on ‘high-alert’ for such things as attorneys must be.”
The court in Alamar Ranch made clear that it was not ruling on whether the employee's communications would have been protected had she sent them while using the employer's computer network, but via a Web mail account, and cited Stengart v. Loving Care as an example of such a case. But note that a close reading of the opinion in Stengart v Loving Care indicates that the ruling in that case was not limited to employee communications by Web mail.

Consent to Cookies? Who Wouldn't?

Kristen J. Mathews — Fri, 04 Dec 2009 11:53:31 -0500

If the European Commission has anything to say about it, starting about 18 months from now companies will have to start obtaining consent from Web site visitors to place cookies on their computers.

Last week, the European Parliament approved amendments to Europe’s e-Privacy Directive (see page 76, item 5) requiring, among other things, that operators of Web sites obtain a user’s consent before placing a cookie on the user’s computer. “Cookies” are digital files that are routinely placed on a user’s computer when they visit a Web site. These files are used for many purposes, including to save a user’s name and password so they can be pre-populated in a Web site’s log-in page; to enable Web sites to engage in behavioral marketing by displaying ads that are keyed to a user’s browsing history; to enable Web sites to perform analyses of the demographics of the site’s visitors and what areas of the site are most popular; and to save the contents of a user’s online shopping cart.

Under the amended e-Privacy Directive, Web sites may only place cookies if the user has consented, after having been provided with clear and comprehensive information about the purpose of the cookie. The amended directive provides an exception to the consent requirement if the cookie is “strictly necessary” in order for the Web site to provide a service specifically requested by the user. While this exception is mildly helpful, it would not apply to most uses of cookies.

A recital (see recital 66) that prefaces the directive suggests that “where it is technically possible and effective,” consent may be expressed by using the appropriate settings of a Web browser or other application. However, it is unclear whether user consent can be obtained this way when the default Web browser setting is to accept cookies, as is the case with most Web browser software on the market.

Furthermore, due to the European law’s definition of “personal information,” the EU’s new rule even applies to cookies that do not collect a user’s name or contact information, on the grounds that anonymous cookies still enable a Web site to recognize a user who has been to the site before.

While this amendment leaves European companies in a state of alarm, it also leaves non-EU companies in a state of quandary. The EU (specifically, the Article 29 Working Party) consistently has taken the position that its personal data directive (an older sibling of the e-Privacy Directive) applies to wholly non-EU Web sites that place cookies on computers which are located in Europe. If the e-Privacy Directive also applies to all Web sites that drop cookies, the global impact of these amendments essentially requires every Web site to change its practices in about 18 months, which is the deadline by which European Member States must implement the e-Privacy Directive’s amendments.

Recent Death of Data Breach Class Action Resuscitates Lack of Standing Arguments in Identity Exposure Cases

Brendon Tavelli — Tue, 01 Dec 2009 22:26:58 -0500

On November 23, 2009, a federal court in Missouri bucked the recent trend in identity exposure lawsuits and refused to recognize Article III standing in a class action lawsuit that alleged simply an increased risk of identity theft resulting from a data breach. In Amburgy v. Express Scripts, Inc., Magistrate Judge Frederick R. Buckles of the U.S. District Court for the Eastern District of Missouri held that “plaintiff’s asserted claim of ‘increased-risk-of-harm’ fails to meet the constitutional requirement that a plaintiff demonstrate harm that is ‘actual or imminent, not conjectural or hypothetical.’ Plaintiff has therefore failed to carry his burden of demonstrating that he has standing to bring this suit.” Consequently, the Court dismissed the plaintiff’s action – which included claims for negligence, breach of contract, violations of state data breach notification laws and violations of Missouri’s Merchandising Practices Act ("MPA”) – in its entirety for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure. In doing so, the court breathed new life into the lack of standing argument that had begun to fall out of favor in identity exposure cases.

Prior to the Court’s decision in Amburgy, the trend in lost data cases had been in favor of finding subject matter jurisdiction, even where the plaintiff's allegations failed to state a valid cause of action. (See our post regarding McLoughlin v. People’s United Bank, Inc. here.) Indeed, as Judge Buckles observed in his opinion, subsequent to the Seventh Circuit’s decision in Pisciotta v. Old Nat’l Bancorp, “district courts have consistently determined that claims of increased risk of identity theft resulting from security breaches sufficiently allege an injury-in-fact to confer Article III standing.” After noting the Seventh Circuit’s lack of discussion in Pisciotta about applying the U.S. Supreme Court’s recognized standards for determining standing under Article III, Judge Buckles engaged in a thorough analysis of the plaintiff’s standing to sue. Relying principally on the Supreme Court’s opinion in Whitmore v. Arkansas, the Court concluded that the plaintiff lacked standing because he “cannot show that he has suffered or will immediately suffer a concrete injury-in-fact.”

In addition to dismissing all of plaintiff’s claims for lack of subject matter jurisdiction, the Court explained that the claims for negligence, violations of state data breach notification laws and violations of Missouri’s MPA also should be dismissed under Rule 12(b)(6) of the Federal Rules of Civil Procedure for failing to state a viable cause of action. The Court pointed out that Plaintiff’s breach of contract allegations stated a claim for at least nominal damages under Missouri law, but the Court lacked subject matter jurisdiction to entertain the matter.

Innocent Mall Shoppers, You're Off the Hook: Federal Agencies Release Model GLBA Privacy Notice Form

Brendon Tavelli — Fri, 20 Nov 2009 20:57:46 -0500

On November 17, 2009, eight federal regulatory agencies released their final model privacy notice form that is intended to make it easier for consumers to understand how financial institutions collect and share information about them. The model privacy notice form, which features a version that offers consumers an opt-out and one with no opt-out, represents the culmination of extensive research and testing by the various agencies, which included a nationwide mall-intercept study (see our previous post here), and their analysis of public comments on the model form first proposed on March 29, 2007. The agencies’ efforts in this regard were spurned by the Financial Services Regulatory Relief Act of 2006, which amended the Gramm-Leach-Bliley Act (“GLBA”) and called upon the federal financial services agencies to jointly propose a succinct and comprehensible format for GLBA privacy notices.

The final model privacy notice form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission. It is hailed as a consumer-friendly notice that allows consumers to easily compare the privacy practices of different financial institutions. Financial institutions that choose to use the model form, which will take effect 30 days after publication in the Federal Register, will obtain a “safe harbor” that declares them in compliance with the GLBA’s disclosure requirements. Publication of the final model privacy notice in the Federal Register is expected soon.

With the release of the model form, despite opposition from major industry players, the agencies plan to eliminate the existing sample clauses and accompanying compliance safe harbors, which limited the liability of financial institutions that issued privacy notices containing these sample clauses. Existing safe harbors and sample clauses will be phased out over a one-year period.

Massachusetts Finally Finalizes Data Security Regulations - We Think

Kristen J. Mathews — Mon, 02 Nov 2009 18:16:12 -0500

In response to feedback received at a public hearing held in September, the Massachusetts Office of Consumer Affairs and Business Regulation has released what it purports to be final regulations under Massachusetts' "Act Relative to Security Freezes and Notification of Data Breaches," which was enacted in Jul 2007.

Regulation 201 CMR 17.00 ("Standards For The Protection of Personal Information of Residents of the Commonweath") was previoulsly amended in August in response to industry backlash.

This week's final amendments make very few changes to the regulations that were released in August:

The regulations apply to persons who "store" personal information in addition to those who receive, maintain, process, or otherwise have access to personal information
Service Providers include persons who "store" personal information through their provision of services directly to a person that is subject to the regulations (in addition to those who receive, maintain, process, or otherwise are permitted access to personal information)
The express carve-out of the U.S. Postal Service from the definition of "Service Providers" has been removed
The amendments clarify that Service Provider agreements that are entered into before March 1, 2010 do not have to be amended to comply with the regulations until March 1, 2012.

The March 1, 2010 effective date of the regulations has not changed.

We Were Wrong About the Third Time Being A Charm: FTC Delays Enforcement of Red Flags Rule Yet Again

Brendon Tavelli — Fri, 30 Oct 2009 20:45:57 -0500

Today, at the urging of Members of Congress, the Federal Trade Commission (“FTC”) announced that it will delay enforcement of its Red Flags Rule for the fourth time. Financial institutions and creditors subject to enforcement by the FTC will now have until June 1, 2010 to develop written policies and procedures to detect and respond to so-called identity theft “red flags.”

The FTC’s announcement does not impact the separate timeline of the proceeding we reported on here (in which the U.S. District Court for the District of Columbia ruled that the Federal Trade Commission's Red Flags Rules cannot be enforced against lawyers) or any possible appeals. Moreover, the FTC’s announcement does not affect other federal agencies’ ongoing enforcement of the rule as it relates to financial institutions and creditors subject to their oversight.

Who Cares If A List of Email Addresses Gets Stolen?

Kristen J. Mathews — Fri, 30 Oct 2009 19:34:17 -0500

A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.” Should mere contact information be afforded greater protection?

One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone numbers) had been compromised. A class action law suit quickly followed, and the third settlement attempt was rejected just recently by the court on the grounds that, in the judge’s view, it provided an inadequate remedy for the affected consumers.

The rejected settlement would have required Ameritrade to:

Post notices on its Web site warning customers about “stock touting spam”
Retain independent experts to conduct biannual penetration tests on its systems
Seed its email address databases with monitored email addresses for the purpose of detecting data compromises
Offer to pay for one year’s worth of a spam or virus filtering service for each of the 6 million customers whose email addresses were compromised
Retain an analytics specialist to perform analyses of whether the compromised data has been used to commit identity theft
If identity theft is detected, offer class members identity theft remediation services
Donate $55,000 to two anti spam projects
Pay plaintiffs’ counsel $1.9M in attorney’s fees

Since these settlement terms did not satisfy the judge, the parties will reconvene at a hearing on December 10, 2009.

The Ameritrade case has served as a reminder that companies should not ignore the importance of keeping contact information secure while focusing primarily on more sensitive information such as Social Security Numbers and financial account numbers. However, applicable laws that require companies to protect the security of individuals’ information generally do not apply to mere contact information. For that reason, it is still appropriate to classify contact information as “confidential” as long as your policies provide for reasonable protections for such information. As an example, since customer databases compile all customer contact information into one place, and are an attractive target for hackers, such databases should be afforded greater protection than individual documents that contain just one customer’s name and contact information. Similarly, when disposing of paper files containing customer contact information in mass, it would be a best practice, although not required by U.S. law, to shred such documents upon disposal.