Fourth Quarter 2011
In This Issue:
I. BEHAVIORAL TRACKING
II. ONLINE AND CONSUMER PRIVACY
III. MOBILE AND COMMUNICATIONS PRIVACY
A. Case Regarding Ability to Send Text After Consumer Opts Out Survives Motion to Dismiss B. France Telecom Industry Launches Do-Not Call Registry
IV. DATA BREACH AND DATA SECURITY
V. WORKPLACE PRIVACY
I. BEHAVIORAL TRACKING
A. Enforcement of the OBA Self-Regulatory Principles
The Online Interest-Based Advertising Accountability Program recently released six decisions signaling the beginning of the Accountability Program's formal enforcement of the Self-Regulatory Principles for Online Behavioral Advertising. The rules and procedures for the Accountability Program are set by the National Advertising Review Counsel. In August, the Accountability Program began testing various companies' opt-out procedures across several internet browsers. Notably, four of the six companies who were the subject of self-regulatory inquiries had opt-out requests set to expire in one year or less. The Self-Regulatory Principles require opt-outs to remain in effect for at least five years from the date a consumer exercises choice. Companies found in violation of the Self-Regulatory Principals are asked to quickly bring their programs into compliance.
TIP: The Accountability Program has pledged vigorous oversight and enforcement of the Self-Regulatory Principles. If your company uses vendors to help serve targeted ads, or your website serves targeted ads, ensure you and your vendors are in compliance with the self regulatory program offered through aboutads.info. Your company should also consider periodic monitoring of the functionality and usability of your opt-out program across different internet browsers.
B. Facebook Sued in (Another) Class Action Over Tracking Practices
Facebook is facing another consumer class action suit over its alleged practice of using tracking cookies to collect information from users when they were logged out of their Facebook accounts. Plaintiffs allege that Facebook tracked, collected and stored users’ online activities, including portions of internet browsing history. Further, plaintiffs allege that the information collected by Facebook when users were logged off contained personal data and electronic communications. All of these actions were allegedly done without plaintiffs’ consent, and according to the plaintiffs, in violation of Facebook’s privacy policy. Plaintiffs brought suit under the Federal Wire Tap Act and a number of state law theories. As of late November, there have been sixteen similar cases filed against Facebook. This particular case is currently pending in the Western District of Arkansas.
TIP: Work closely with your IT team to ensure that you understand the tracking activities that may occur on your websites. Where appropriate, clear disclosures may help lower potential liability in cases like this one.
C. Class Action Complaint Filed Against Facebook for Tracking Logged-Out Users
In a case mirroring one we reported on recently filed in Arkansas, Facebook is facing another class action complaint regarding its tracking of users. According to the complaint, this time filed in Kansas, Facebook allegedly tracked, collected, and stored its users' wire or electronic communications, including their Internet browsing history even when the users were not logged-in to Facebook, without their consent. Plaintiffs argue that this conduct violates the Federal Wiretap Act, violated Facebook's privacy policy, and Kansas' Consumer Protection Act.
TIP: Continue to be vigilant in working with your website developers to understand what tracking tools are being employed on your sites, and where necessary, have clear disclosures about those activities.
D. Entertainment Website Settles Class Action Claim Over Flash Cookies
In another class action suit over flash cookie tracking, video entertainment website Metacafe agreed to a settlement barring it from using flash cookies to track users without their consent. Plaintiffs alleged Metacafe used flash cookies to track users and transmit personally identifiable information to third parties, and through the use of those flash cookies, circumvented users’ browser settings (which is where a user normally rejects or deletes cookies). Under the proposed settlement, Metacafe may not use flash cookies (also known as “local shared objects” (LSOs)) to circumvent browser settings or re-spawn HTTP cookies. Further, if Metacafe continues to place LSOs on users’ computers, it must disclose this practice in its privacy policy. The settlement will provide compensation to class members who can demonstrate financial loss attributable to Metacafe, as well as $400,000 in attorneys’ fees.
TIP: Companies should determine if their websites use flash cookies, and if so, should make sure that they have sufficient disclosures about how users can control use of and delete those cookies.
E. Class Action Against Amazon.com Over Browser Privacy Settings Dismissed
On December 1, 2011, the U.S. District Court for the Western District of Washington dismissed a class action lawsuit against Amazon.com alleging violation of the Computer Fraud and Abuse Act ("CFAA") and several state law claims based on Amazon.com's use of cookies and related tracking technologies. In dismissing the case, the court found that the plaintiffs failed to allege that Amazon's actions caused any legally cognizable harm. The plaintiffs had alleged that Amazon exploited a known weakness in Internet Explorer's cookie filtering functionality to install cookies on their computers despite the fact that they had set their browser privacy settings not to accept cookies, and that Amazon modified Flash cookies so that they would appear to be regular cookies and be installed as well. The plaintiffs argued that Amazon's actions installing these cookies and tracking their online behavior harmed them by (1) causing the devaluation of their confidential information; and (2) damaging their computers by impairing performance. The CFAA is a criminal statute that provides a civil cause of action against someone who knowingly, and with intent to defraud, accesses a protected computer without authorization and causes damages of at least $5,000. The court, in granting Amazon's motion, found that the plaintiffs did not allege any specific facts that would support any damages, nor did they show how the performance of their computers was impaired by installation of the cookies. Because they did not prove these elements, the court found that the plaintiffs did not meet the threshold damages requirement of the CFAA. The court found that this also defeated the state law claims. Additionally, the court noted that Amazon's privacy policy disclosed that it would use cookies and flash cookies to track user behavior and share the information with third parties.
TIP: Companies that use tracking technologies on their Web sites should ensure that the Web site privacy policy clearly and accurately describes those tracking technologies. This is particularly true in the case of flash cookies.
II. ONLINE AND CONSUMER PRIVACY
A. Facebook Settles Privacy Complaints with Federal Trade Commission
The Federal Trade Commission has just announced a settlement with Facebook, Inc. in connection with charges by the FTC that Facebook engaged in deceptive privacy practices. The FTC alleged that Facebook did not disclose to users that their Facebook information could be accessed by third parties without the users' explicit authorization. In particular, according to the FTC, although Facebook's privacy controls led users to believe that they could control who could see and access their profile information, platform applications could access user profile information regardless of the user's privacy settings. In addition, the FTC claimed that Facebook's privacy policies stated that applications could only access information related to the purpose of the application. In practice, however, the FTC alleged that applications could access more information than necessary to function. Furthermore, the FTC alleged that Facebook engaged in a violation of the FTC Act when it revised its privacy practices in December 2009. In particular, when Facebook announced its new practices, it claimed that users would have more control over their information. But, it did not disclose that after the revised privacy practices went into effect, they overrode users' previous privacy settings. In addition, contradictory to statements made to users by Facebook, Facebook shared user information with its advertisers without users' consent, to allow advertisers to target advertising to users based on users' profile information. Finally, the FTC claimed that Facebook failed to delete user information after a user deactivated or deleted their Facebook account, and Facebook continued to display photos and videos uploaded by the user, and did not disable third party access to such user information, even after the user deleted or deactivated his or her account, despite promises to the contrary.
The proposed settlement requires Facebook to accurately disclose the extent to which it maintains the privacy of user information, including its collection and disclosure of information, the extent to which a user can control the privacy if his or her information, the extent to which Facebook discloses information to third parties, and the steps Facebook takes to verify the privacy or security offered by third party providers. Furthermore, under the proposed settlement Facebook will be required to obtain a user's express affirmative consent before enacting changes that would override the user's existing privacy preferences, and prohibits Facebook from accessing user information more than 30 days after the user has deleted his or her account. Facebook will also be required to establish and maintain a comprehensive privacy program which addresses the concerns set forth in the FTC's complaint, and for the next 20 years must obtain a third-party audit of such privacy program to ensure compliance with the FTC's order and applicable law. Finally, Facebook will be required to maintain its records for FTC inspection in order to allow the FTC to monitor Facebook's compliance. If Facebook engages in conduct that violates the settlement, Facebook may be subject to fines of $16,000 per violation, per day.TIP: Websites that collect and store user information should ensure that they are accurately and comprehensively disclosing how user information will be used and disclosed. Companies should also take care when making material changes to privacy practices. The terms of this settlement also serve as a reminder that the FTC expects companies to have in place comprehensive privacy programs, and the mechanisms to ensure compliance with those programs.
B. Kids Social Networking Site Settles COPPA Charges, Includes Civil Penalties of $100,000
The FTC has just announced a settlement with the operator of a social networking website for kids. The website, Skid-E-Kids (www.skidekids.com), is directed to children between 7 and 14, and bills itself as the "Facebook and MySpace for Kids." According to the FTC complaint, a child who visits Skid-E-Kids is able to register and begin using his or her account without parental consent. A child provides his or her birthdate (which can be under 13), and then is prompted to enter an email address (i.e., personal information under COPPA). According to the complaint, at no point does the site reach out to parents to obtain parental consent, and the child can freely use the site, including submitting full name (more personal information under COPPA), uploading pictures, and sending messages to other users. Over five thousand children were able to register on the site, according to the complaint. In settling, the website operator (an individual) agreed to obtain parental consent in the future, to delete information collected, to remove misrepresentations from his privacy policy, and to operate under a five year consent decree. The defendant is also to pay $100,000 in civil penalties, although the consent decree permits him to pay a lower amount if he can establish that he does not have the financial means to pay the full penalties.
TIP: Since it is unlikely that social media sites would fall under an exception to the need to collect verifiable parental consent, ensure that you have taken measures to either block children under 13 or you obtain verifiable parental consent before allowing children to participate in forums where personal information is collected.
C. Pandora Sued for Allegedly Sharing User Data Without Consent
A class action lawsuit was recently filed against Internet radio service Pandora for alleged violations of Michigan’s Video Rental Privacy Act. The complaint alleges that although Pandora said users’ profile pages would be accessible only to other registered Pandora users who knew an individual’s “unique-mail address,” Pandora made these records publicly available. The plaintiffs further allege that Pandora integrated users’ profile pages with their Facebook accounts without first obtaining consent from the users. The plaintiffs allege that these activities violate Michigan’s Video Rental Privacy Act, which prohibits the disclosure of information regarding both of customers’ video rental/borrowing history and customers’ sound-recordings rental/borrowing history. The plaintiffs are seeking $5,000 in damages per class member.
TIP: Companies that engage in sharing and tracking of customer information should use caution. Many lawsuits are being filed under a variety of theories. One way to help limit potential exposure is to work with counsel to ensure that proposed information can be shared or tracked. Companies should also review public statements–both privacy policies and advertising copy–to ensure the statements accurately reflect current activities.
D. Web Rewards Program Sign-Up Disclosures Found to be Sufficient
In a recent class action lawsuit, an online marketing company was accused of tricking consumers into enrolling into certain membership programs. The District Court for the District of Massachusetts granted the defendants’ motion for summary judgment, reasoning that the plaintiff “cannot now show the necessary connection between the allegedly deceptive materials and her mistaken enrollment such that the defendants would be responsible for the asserted harm.” The court further held that the company’s marketing of the programs was not deceptive. The court reasoned that the on-screen disclosures were “clear and easily understandable by anyone capable of making an online purchase” The court found it persuasive that the plaintiff had to take several affirmative steps to become a member of the programs, including typing her email address and affirmatively pressing the “Yes” button. The court also stressed the fact that the plaintiff received a confirmation screen and separate emails for each program with reminders that if she did not cancel, she would be charged automatically after the trial period ended.
TIP: This case demonstrates that having an opt-in approach with clear and understandable disclosures of all material terms can help to establish that valid online consent has been obtained.
E. Actress Sues Over Posting of Her Age on IMDB.com
An actress (who filed the complaint as “Jane Doe”) recently sued IMDb.com (and its owner Amazon.com, Inc.) for disclosing her age on the IMDb.com website. IMDb.com attempts to list every production upon which a writer, performer or crew member has ever worked. IMDb.com offers a paid service, called IMDbPro, which provides additional information to paying customers. According to the complaint, the actress subscribed to IMDbPro, and provided her personal and credit card information to pay for the subscription. Shortly after subscribing, the actress alleges that she noticed that her legal date of birth had been added to her public acting profile, revealing that she is much older than she looks. The actress sued for breach of contract, and a violation of Washington’s privacy act. The case is currently pending, and the actress may be compelled by the court to reveal her name.
TIP: This case is a reminder that revealing personal information–including dates of birth-can be a sensitive area for many. Care should be taken to vet data storage, protection and disclosure programs and ensure that they are not only compliant with laws, but that related risks have been considered and managed.
III. MOBILE AND COMMUNICATIONS PRIVACY
A. Case Regarding Ability to Send Text After Consumer Opts Out Survives Motion to Dismiss
According to a complaint filed in the Southern District of California, a bank customer received an unsolicited text message from his bank after inquiring about a personal line of credit. The message indicated that the bank needed to talk to the customer about "your recent application." The customer opted out as directed in the text, and received a confirmation text indicating that the bank would no longer send him text messages. The customer filed suit, alleging that both messages violated the Telephone Consumer Protection Act, since they were sent without his consent. The bank moved to dismiss, and the court denied the motion stating that the appropriate way for the bank to establish that the customer's claims were not founded was a motion for summary judgment, not a motion to dismiss.
TIP: This is one of several cases that has been filed alleging that a company has violated the TCPA by sending a confirmation to let a consumer know that an opt-out request was received and would be honored. As we have indicated previously, companies should take steps to ensure that their text message opt-out procedures are compliant with the TCPA.
B. France Telecom Industry Launches Do-Not Call Registry
Industry groups in France recently launched the Pacitel list, a national Do-Not-Call registry that will allow consumers to each add up to six phone numbers. Creation of the list is aimed at curbing unsolicited marketing phone calls to consumers. Participating companies, which account for nearly 80 percent of companies that make telephone sales calls in France, have agreed not to call any of the numbers on the list. Additionally, participants agree to restrict calls to numbers not on the list to certain times of the day. The list is expected to become operational by the end of the year. While the Pacitel list is voluntary at this time, French Parliament is expected to consider a consumer protection law soon that would require all companies to comply with the list.
TIP: Industry groups in France recently launched the Pacitel list, a national Do-Not-Call registry that will allow consumers to each add up to six phone numbers. Creation of the list is aimed at curbing unsolicited marketing phone calls to consumers. Participating companies, which account for nearly 80 percent of companies that make telephone sales calls in France, have agreed not to call any of the numbers on the list. Additionally, participants agree to restrict calls to numbers not on the list to certain times of the day. The list is expected to become operational by the end of the year. While the Pacitel list is voluntary at this time, French Parliament is expected to consider a consumer protection law soon that would require all companies to comply with the list.
IV. DATA BREACH AND DATA SECURITY
A. RockYou Settles Case Alleging Failure to Protect User Login Information
As we wrote in January 2010, RockYou Inc., maker of certain social media applications, was sued in California for failure to protect consumers' information, including usernames and passwords. The plaintiff argued that because these combinations were usually a user's email address plus the same password that the user employed for the email account, if this information was accessed by an unauthorized third party, the consumer would be put at risk. In particular, that unauthorized third party could use the information to log into the user's email account and access potentially sensitive information within the user's email inbox. During the case, the Northern District of California noted that RockYou may have been in violation of its website terms of service because it had not encrypted email addresses and login information. This case has now settled, with RockYou agreeing to audit its security systems for the next three years, to pay named plaintiff in the class action lawsuit $2,000, and to pay plaintiff's counsel almost $300,000 in fees.
TIP: When developing a security program for your company, make sure that you consider more than just financial information or social security numbers when determining what should be encrypted or otherwise receive heightened protection. Consider as well information that, if accessed by an unauthorized third party, might put customers in jeopardy.
B. FTC Settles with Telemarketer Who Threw Customer Data into Dumpsters
On September 29, 2011, the U.S. District Court for the District of Maryland approved stipulated injunctions against a debt relief group and a mortgage relief group to settle an FTC enforcement action for deceptive marketing practices, violations of the Telemarketing and Consumer Fraud and Abuse Act (TCPA), and violations of the Telemarketing Sales Rule (TSR). The FTC alleged that the defendants deceived financially distressed homeowners in order to sell them debt and mortgage assistance relief services by, among other things, making false statements about their ability to produce results, using false testimonials, and pretending to be a federal agency. In addition, the FTC complaint alleged that the defendants' practice of disposing materials containing the personal information of their customers, including social security number and financial information, in unsecured, publicly accessible dumpsters, constituted unfair and deceptive trade practices and violated defendants' privacy policy, which promised to restrict access of personal information. The injunctions, in addition to imposing financial penalties of $11 million dollars and requiring other remedial steps, prohibit the defendants from failing to properly dispose of customer information and requires them to take reasonable measures to protect against unauthorized access to the information such as by burning, pulverizing or shredding any papers and erasing or destroying electronic media within 30 days. The injunctions also prohibit the defendants from using, benefiting from, or disclosing customer information.
TIP: Companies should ensure that they are taking reasonable steps to protect their customer's data from disclosure and that such steps are consistent with their posted privacy policy. These steps should include methods for the secure destruction and disposal of customer data, especially sensitive financial information.
C. Court Upholds $1 Million Damages Award Against Credit Reporting Service
A federal court in California recently upheld a $1 million verdict against Equifax Information Services. The case involves an individual whose identity was stolen while he was undergoing cancer treatment. Shortly thereafter, he received letters from financial institutions thanking him for credit applications that he submitted. Plaintiff’s thief was charged and convicted with a criminal violation of HIPAA, since the thief was a medical professional at the cancer center where the plaintiff was undergoing treatment. Plaintiff alleged that Equifax also was at fault, and willfully violated the Fair Credit Reporting Act by failing to properly reinvestigate and accurately report the status of the disputed credit card applications, as required by the FCRA. A jury awarded the plaintiff over $1 million in damages. The court found that the evidence presented at trial was sufficient to sustain the award for damages, and punitive damages.
TIP: Companies should carefully consider their obligations to protect sensitive personal information, as they may find themselves accused of mistreatment in the event of a data breach by a third party.
V. WORKPLACE PRIVACY
A. Employees Fired for Facebook Posts Awarded Backpay
An administrative law judge recently found that an employer violated the National Labor Relations Act when it fired five employees for posting Facebook comments about a co-worker’s criticism of their work. The co-worker, Lydia Cruz-Moore, told the employees that she was going to tell a manager that they were not doing their jobs correctly. One employee posted a message on her own personal Facebook page regarding the complaint, and other employees, including Cruz-Moore, also posted comments. After Cruz-Moore informed the manager about the postings, the five employees who had posted comments were fired. The administrative law judge found that the employees had engaged in protected activity under the National Labor Relations Act, which guarantees the right of employees to engage in concerted activity for their mutual aid or protection. The judge found that the Facebook comments constituted concerted activity, even though the comments were not directed at the employer and were not intended to change the employees’ working conditions. The judge noted that the National Labor Relations Board has held that employee conversations about their concerns, including concerns about performance reviews or criticism, can be protected. The judge issued an order recommending that the employees be reinstated and offered back-pay and lost benefits.
TIP: Although the contours of what may constitute “protected activity” are still developing, employers should exercise caution in making employment decisions based on employees’ use of social media because such use may constitute concerted activity protected under the National Labor Relations Act.
B. California Restricts Employer Use of Credit Reports
Governor Jerry Brown recently signed into law a new restriction on the ability of employers to obtain credit reports for employment purposes. The law, California Assembly Bill 22 (“AB 22”), prohibits employers from using credit reports in the hiring or promotion processes. There are exceptions to the prohibition in AB 22, however. Employers may obtain credit reports for prospective or current employees who fall into certain exempt categories, including managerial positions (employees who qualify for the “executive exemption” under California wage and hour law), positions involving regular access to the personal information of others, and positions involving access to confidential or proprietary information of the employer. California joins six other states - Connecticut, Hawaii, Illinois, Maryland, Oregon, and Washington - in prohibiting employers from using the credit history of prospective or current employees in making hiring or employment decisions.
TIP: Beginning on January 1, 2012, California employers may not use credit reports for employment purposes unless the employee position falls into one of eight exempt categories. This prohibition applies to both prospective and current employees.
C. Proposed Federal Acquisition Rule Would Require Contractor Privacy Training
A proposed Federal Acquisition Regulation rule, published on October 14, 2011 in the Federal Register, would require that federal government contractors who work with government records or personal information complete privacy training. The proposed rule would deny contractors access to the records until they completed the training. The rule would also mandate seven areas the privacy training must cover, including the handling and safeguarding of personally identifiable information, the authorized and official use of a government records system, and restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information. Comments on the proposed rule are due December 13, 2011.
TIP: If the proposed rule is accepted, employers who have federal government contracts must implement privacy training for all employees who come into contact with personal information.
D. Use of GPS Tracking Device on Employee’s Car Found Reasonable
On November 23, 2011, a New York state appeals court found that the Department of Labor (DOL) acted lawfully when the agency’s Office of the Inspector General placed a GPS device on an employee’s car, even though the device tracked the employee outside of work hours. The employee had a long history of work misconduct, and the DOL believed that the employee was leaving work without permission and falsifying time records. The DOL attempted to have a private investigator follow the employee during work hours, but the employee realized he was being trailed. The DOL then placed a GPS device on the employee’s car when it was parked in a lot near his workplace. The GPS device transmitted for a month, and the DOL used this information as evidence for its claim that the employee submitted fraudulent time records. A majority on the state appeals court found that this use of the GPS system was reasonable. Unlike a criminal case, where use of a GPS tracking device would require a warrant supported by probable cause, use of the device by a public employer only required showing that the use was reasonable. The majority found that the use of GPS in this situation was reasonable, as the employee had previously discovered that he was being followed by a private investigator and the data from the GPS was not constantly monitored. Two judges on the court disagreed, however, and said that the GPS was an unconstitutional search and that the scope of the use was unreasonable. The GPS transmitted data outside of work hours, including during the time the employee took a week long vacation with his family. Because a majority of the court found the use of the GPS device was reasonable, the employee could not recover from his employer.
TIP: Employers should carefully consider the laws of their state before electronically monitoring employees, especially if that monitoring may include activities or time outside of the workplace.
If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:
| CHICAGO | LOS ANGELES | ||
Liisa M. Thomas |
(312) 558-8121 |
Steven D. Atlee (Litigation) |
(213) 615-1827 |
| Julie Bauer (Litigation) |
(312) 558-5973 | Anna S. Masters (Labor & Employment) |
(213) 615-1711 |
| Monique Bhargava (Advertising) |
(312) 558-3732 | ||
| Christine A. Edwards (Financial Services) |
(312) 558-5571 |
NEW YORK | |
Brian D. Fergemann |
(312) 558-8024 |
Virginia R. Richard (Intellectual Property) |
(212) 294-4639 |
| Delilah B. Flaum (Health Care, Litigation) |
(312) 558-8922 | ||
| Jason W. Gordon (Advertising) |
(312) 558-6145 |
PARIS | |
Brian L. Heidelberger |
(312) 558-5897 |
Sébastian Ducamp (Employment, Litigation) |
33 0(1) 53 64 82 08 |
Mary Hutchings Reed |
(312) 558-5721 |
Blaise Deltombe (Employment, Litigation) |
33 0(1) 53 64 82 31 |
| Michael Melbinger (Employee Benefits) |
(312) 558-7588 | Nathalie Hadjadj-Cazier (Intellectual Property) |
33 (0)1 53 64 81 50 |
Robert H. Newman |
(312) 558-8125 |
Gwendaline Sarrat (Intellectual Property) |
33 (0) 1 53 64 82 47 |
| Michael Philipp (Financial Services) |
(312) 558-5905 | ||
| Tim Rivelli (Litigation) |
(312) 558-5817 | SAN FRANCISCO | |
| Sara Skinner (Advertising) |
(312) 558-7406 | David S. Bloch (Intellectual Property, Litigation) |
(415) 591-1452 |
Cardelle B. Spangler |
(312) 558-7541 |
Kimberly E. Eckhart (Intellectual Property) |
(415) 591-6805 |
Marc H. Trachtenberg |
(312) 558-7964 |
Jennifer A. Golinveaux (Intellectual Property, Litigation) |
(415) 591-1056 |
|
|
Becky L. Troutman (Intellectual Property) |
(415) 591-1401 |
| LONDON | |||
| Zoë Ashcroft (Corporate, Financial) |
44 (0)20 7105 0025 | WASHINGTON, D.C. | |
| Marion K. Goldberg (Health Care) |
(202) 282-5788 | ||
| Anthony DiResta (Litigation) |
(202) 282-5782 |
Attorney Advertising Materials
These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.
Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).
© 2011 Winston & Strawn LLP