I.Online Privacy

A. Technical Specifications Created for Online Behavioral Advertising Disclosure

The International Advertising Bureau (“IAB”) and the National Advertising Initiative (“NAI”) recently published technical standards aimed at aiding advertisers in clearly communicating their online behavioral advertising practices to consumers. The technical standards were developed in light of pressure from the FTC to promote transparency in online behavioral advertising (defined as the practice of obtaining information about a consumer’s behavior on one website, and then using that information to serve advertising to that same consumer on another site). The new specifications were developed by IAB and NAI to be used by advertisers who engage in online behavioral advertising. Under the specifications, these companies would place an “ad marker” in close proximity to the advertisement, or on the advertisement itself. The ad marker is an icon that reads either, “Why did I get this/these ad(s)?”, “Interest Based Ad(s)”, or “Ad Choice(s)”. When clicked by consumers, the marker directs them to a page that contains information about why the ad was delivered, by whom, whether it was the result of behavioral targeted advertising, information about how to opt out of such advertising, and other related information. While this program, called the “CLEAR Ad Notice,” is not a legal requirement, it does provide detailed information about a potential mechanism for complying with the FTC’s recent direction to advertisers to be transparent about any online behavioral advertising practices.

TIP: The notice standards for online behavioral advertising programs are still being developed, and the FTC has expressed concerns that many advertisers’ behavioral advertising practices are not being sufficiently disclosed. As such, you should contact legal counsel before engaging in the practice of online behavioral advertising. The IAB/NAI approach is one option for how to potentially address the FTC’s transparency concerns.

[Top]

B. U.S. Department of Commerce Getting Active in Online Privacy?

The U.S. Department of Commerce has issued a notice seeking comment on the impact of current privacy laws on Internet innovations, such as cloud computing models, under which six companies can collect and store information in different locations throughout the world. In particular, the department is looking at the crossover between these new innovations and current privacy laws, including whether those laws “serve consumer interests and fundamental democratic values.” Among the questions about which the department is seeking input is the impact that various differing state data breach notification laws have on commerce (including companies’ compliance costs associated therewith), as well as how international privacy laws impact corporations’ compliance costs. In its request for comments, the department points out the role it has historically played in policies that have “helped commerce over the Internet flourish,” including its role in the U.S.-EU Safe Harbor Program (which it administers). The department also references in its notice the work being done by the FTC and the FCC in the privacy area, and indicates that it will coordinate with both bodies in moving forward with its work. Comments are due to the Department of Commerce by June 7, 2010. After receiving comments, the department plans to issue a report which may include potential regulatory and/or self-regulatory steps to address privacy and innovation.

TIP: When developing plans that involve using consumer information, companies should keep in mind that bodies other than those we normally think of – FTC, state attorneys general – are interested and may become active in the online privacy area. We will continue to monitor both the Department of Commerce’s activities in the privacy area, as well as the activities of other government bodies like the FTC and the FCC.

[Top]

C. ISP Sued for Providing User Data to Spyware Operator

Montana-based ISP Bresnan Communications was recently sued for allegedly installing devices into its network infrastructure that diverted more than 540,000 incoming and outgoing communications to a spyware company, NebuAd, in violation of the federal Wiretap Act, the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and trespass to chattels. The diverted communications are alleged to have included all of the ISP users’ web navigation activity, uploaded and downloaded file information, e-mail communications, instant messages, voice-over-Internet-protocol phone conversations, search terms, and IP addresses of the subscribers’ computers. The complaint further alleged that the diverted communications gave NebuAd access to personally identifying information and substantive content in the communications relating to personal and sensitive matters such as health events, insurance coverage, financial and e-commerce transactions, financial account stats, credit reports, political activities and interest, personal relationships, and even privileged correspondence such as marital and attorney-client communications. NebuAd allegedly paid Bresnan a per-subscriber fee for the information, which it used to inject advertising content into the web pages viewed by Bresnan subscribers and to install persistent cookies onto the subscribers’ computers which could not be deleted.

TIP: Companies should take care when engaging in passive tracking activities, especially if those activities are for the purposes of serving advertising to website users. This type of activity is under scrutiny not only by the FTC, but by private citizens as well.

[Top]

D. Anonymous Poster Did not Waive Rights by Agreeing to Privacy Policy

In an ongoing civil trial in Missouri, the plaintiff attempted to obtain the information of a person who anonymously posted comments on a newspaper message board regarding the defendants. The court found that the disclosure of the poster’s identity was protected under the poster’s right of free speech under the First Amendment and the plaintiff failed to show that the poster’s comments were central to establishing the plaintiff’s case against the defendant. The court also found that disclosure of the poster’s identity did not provide information that the plaintiff could only obtain if the poster’s identity was revealed. Furthermore, the court rejected the plaintiff’s argument that the poster waived First Amendment protections by agreeing to the website’s privacy policy. That policy stated, in relevant part, that the newspaper reserved the right to disclose to third parties any personal information collected about the website user in any way and for any purpose, such as to enable the newspaper to provide the user with information about products or services that might be of interest to the user. The court stated that any waiver of a person’s First Amendment right must be clearly stated, while the language of the privacy policy, which mainly discussed disclosure for commercial purposes, did not contain any language that the website user would be agreeing to waive his or her constitutional right to free speech by posting comments on the message board.

TIP: Companies that allow users to post on their websites should use caution when trying to decide whether to release information about the users. This decision suggests that individuals do not waive First Amendment protections merely by posting on a site. If a company wants to have greater flexibility in its website terms, it may need to clearly state the waiver of any constitutional rights.

[Top]

II. Children’s Privacy

A. Maine Repeals Prohibition on Collection of Personal Information From Ages 13-17

Maine’s legislature has repealed a state law which prohibited, among other things, (1) the collection of personal information from minors under 18 for marketing purposes, without obtaining parental permission, and (2) the use of a minor’s personal information to market to the minor or to promote any course of action regarding a product to a minor, regardless of parental consent. The law initially went into effect on September 12, 2009, but was almost immediately challenged for being overbroad. The Act To Prevent Predatory Marketing Practices Against Minors was repealed, effective immediately, on March 29, 2010.

TIP: Maine no longer prohibits the collection of personal information from minors under the age of 18 without parental permission. However, under the Children’s Online Privacy Protection Act, businesses and advertisers looking to collect personal information from children under the age of 13 must still obtain prior parental consent.

[Top]

B. FTC Seeking Comments on COPPA

The FTC recently sent out a request for comments on the Children's Online Privacy Protection Act (“COPPA”), which has been in place since 2000. The law requires companies to obtain verifiable consent before collecting personally identifiable information from children online. In light of new technologies and changes in the way children use the Internet, the FTC is asking for input on, inter alia, the impact of COPPA on mobile communications and interactive gaming; the use of automatic filters to screen personal information; whether other technical means should be listed for obtaining verifiable parental consent; whether parents are really asking to see – and delete – their children’s information; and whether the safe-harbor programs under the Rule have helped compliance. Those interested in responding must do so by June 30, 2010.

TIP: This notice from the FTC suggests that it may be considering updating the COPPA Rule to address the applicability of the law to mobile phones, as well as addressing other portions of the law that have caused companies some concern over the years. If your company has interactions with children, it may be worth participating in the comment period. We will continue to monitor this issue and report on any resulting new developments.

[Top]

C. Court Upholds Ohio Prohibition on Transmitting Materials “Harmful to Minors”

The Sixth Circuit recently affirmed that Ohio’s recent legislation prohibiting personally transmitting “materials harmful to juveniles” did not violate the sender’s First Amendment rights. The court agreed with Ohio’s Supreme Court that the statute was not overbroad in that, with respect to electronic messages, it prohibits transmissions that are personally directed, such as e-mails, instant messages, and private chat rooms. The statute does not apply to generally accessible websites or public chat rooms. The Supreme Court’s ruling applied only to the technology stated above, and it is likely that new communications technology will be assessed on a case-by-case basis to determine whether it is more similar to personally directed technology like e-mail or generally accessible technology like public websites. The court further affirmed that the statute was not overbroad where any person sending a personally directed message has the opportunity to know or should have known that the recipient is a juvenile. Under the statute, “material harmful to juveniles” means materials or performance that describes or represents nudity, sexual conduct, sexual excitement, or sado-masochistic abuse which, when considered in whole: (1) appeals to the prurient interest of juveniles in sex; (2) is patently offensive to prevailing standards in the adult community with respect to what is suitable for juveniles; and (3) lacks serious literary, artistic, political and scientific value for juveniles.

TIP: When sending e-mail, instant messages, or other “personally directed” electronic messages which may contain material harmful to minors under Ohio’s definition, be certain that none of the recipients of such messages are juvenile residents of Ohio under the age of 18.

[Top]

III. Phone, E-mail and Text Privacy

A. Seller Could be Liable for Telemarketing Activities of its Authorized Dealers

The federal district court in Springfield, Illinois, has refused to reconsider its ruling that the Department of Justice, on behalf of the FTC, adequately alleged that satellite television provider Dish Network violated the Telemarketing Sales Rule (“TSR”). The government alleged in its complaint that Dish Network caused its dealers to call numbers on the National Do Not Call Registry and to abandon outbound calls in violation of the rule. Dish Network argued that it was not liable for the actions of its dealers because it did not direct, request, or coerce them to act in violation of the TSR. The court disagreed, finding that the government adequately alleged that Dish Network caused the dealers to violate the TSR, because Dish Network engaged the dealers to conduct telemarketing activities, sold its services through such telemarketing activities, and provided financial incentives and compensation to the dealers to conduct the telemarketing activities. It should be noted that the court did not rule that Dish Network was liable for the telemarketing activities of its dealers, only that the case can go forward.

TIP: Companies could be liable for the actions of their dealers and/or franchisees even if they have not directly authorized the third party’s illegal conduct. This fact should be considered when drafting agreements with such parties.

[Top]

B. Internet Marketer Settles CAN-SPAM Allegations for $2.9 Million

Florida-based ModernAd Media LLC recently agreed to pay $2.9 million to settle an investigation by the Florida Attorney General that the company had violated the CAN-SPAM Act. The Florida AG’s office began the investigation in response to e-mail messages being sent by the company that, according to the AG’s office, consumers were told that they could get products for “free,” when those products were not, in fact, free. Under the terms of the settlement agreement, the company has agreed to clearly and conspicuously disclose that any items offered for “free” are offered subject to a consumer’s completion of certain requirements. The agreement also requires that the company include adequate disclosures informing consumers that they are entering into a continuity program and prohibits the use of pre-checked boxes in an offer intended to be used for acceptance of terms and conditions. Finally, the settlement requires that the company clearly and conspicuously disclose all material information so that consumers can make informed decisions before purchasing merchandise or participating in trial offers.

TIP: Be sure to clearly and conspicuously disclose all material terms of offers made in an e-mail marketing campaign.

[Top]

C. Tagged.com Settles Case with San Francisco District Attorney for $650,000

The San Francisco District Attorney settled a recent case it brought against Tagged.com, a social networking site based in San Francisco, for $650,000 in civil penalties and investigative costs to the San Francisco District Attorney’s Office. The settlement followed an investigation by the District Attorney’s Office into the website’s mass e-mail campaign, in which Tagged.com sent 40-60 million e-mails in an effort to attract new members to its website. The e-mails falsely stated that a Tagged.com member had sent the recipient a photograph or private message (which in most cases did not exist). Before a recipient could access the promised photograph or private message, he or she was required to complete a registration pathway that misled consumers into unknowingly giving Tagged.com access to the recipient’s e-mail contact list. Tagged.com then repeated the process by sending the same set of deceptive e-mail invitations to all of the individuals in the recipient’s e-mail contact list. Many consumers only learned later that Tagged.com had sent bogus e-mail invitations in their names to all the people in the consumer’s contact list. The settlement also includes an injunction requiring Tagged.com to implement a system of clear disclosures, informed consent, and other safeguards to protect both Tagged.com members and the general public from unfair business practices.

TIP: Companies who wish to obtain personal identifiable information from consumers should exercise caution if attempting to obtain information through third parties (consumers’ friends). Companies should also use caution if using technology that allows information to be collected passively, and should take care not to send messages that may be viewed as misleading or deceptive.

[Top]

D. Auto Warranty Company Settles Telemarketing Sales Rule Case with FTC

Voice Touch, Inc. and its officers and directors recently settled with the FTC for alleged violations of the FTC’s Telemarketing Sales Rule which governs sales calls made to consumers by telephone. The FTC alleged that Voice Touch violated the TSR and engaged in deceptive and fraudulent marketing practices where it initiated sales calls to consumers where Voice Touch: (1) ignored consumers’ do not call requests; (2) called consumers on the national “do not call” registry; (3) blocked or failed to transmit accurate caller ID data; (4) failed to make the disclosures required by the TSR; (4) abandoned calls by failing to connect consumers to a sales representative within two seconds of the completed greeting to the person answering the call; (5) used prerecorded messages that did not meet the requirements of the TSR; (6) misrepresented material facts regarding their products and services; (7) failed to pay the National registry fees; and (8) made false or misleading statements regarding Voice Touch’s affiliation with the consumer’s auto manufacturer, that the expiration of the consumer’s auto warranty was imminent, and about the information Voice Touch had regarding the consumer’s vehicle and recall status. Voice Touch settled with the FTC for $650,000, and the settlement required that Voice Touch permanently cease all telemarketing activities or assisting others in telemarketing activities.

TIP: The FTC’s telemarketing sales rule applies to companies who initiate sales calls to consumers. The TSR contains a number of restrictions regarding whom calls can be made to, the timing of calls, the technology which may be implemented, required disclosures, and other procedural requirements. Companies engaging in telemarketing activities should ensure that their procedures and scripts conform to the FTC’s rules.

[Top]

IV. Consumer Privacy

A. Netflix Settles Class Action Privacy Lawsuit

A California court recently granted voluntary dismissal of a class action lawsuit filed on behalf of 500,000 Netflix subscribers, alleging that Netflix failed to live up to privacy protection promises it made to its customers in its posted privacy policy. Of concern was that Netflix had allegedly given researchers the customer video rental and video rating data for 480,000 subscribers as part of a contest which offered the researchers up to $1 million for new algorithms that would improve Netflix’s ability to provide rental recommendations. The complaint alleged that Netflix violated the federal Video Privacy Protection Act, California consumer protection statutes, and that it constituted unjust enrichment and public disclosure of private facts under California tort law. The court did not reveal any details of the “confidential settlement agreement.” However, Netflix announced that it was cancelling the contest in order to comply with the terms of the settlement as well as to respond to concerns over the program voiced to it by the FTC.

TIP: Companies should exercise caution when sharing data – especially sensitive data – with third parties, especially when the sharing will be for marketing purposes. When determining what constitutes “sensitive” information, keep in mind that special laws (like the Video Privacy Protection Act) may cover information the company is contemplating sharing.

[Top]

B. Classmates.com Agrees To Pay $11 Million To Settle Fraud Class Action

Classmates.com has reached an agreement with plaintiffs in a class action alleging violations of the Washington Commercial Electronic Mail Act and Washington Consumer Protection Act. The agreement, if approved by the court, will require that Classmates.com pay almost $11 million to settle claims that it engaged in a practice of sending “materially misleading and deceptive” e-mails to its users. The allegations stem from Classmates.com’s alleged practice of sending users e-mails that falsely suggested that others were attempting to contact the user, but that a paid membership was required in ordered to view the activity. Although Classmates.com continues to deny wrongdoing, the parties agree that the settlement should be approved. In addition to requiring the payment of almost $11 million, Classmates.com will be required to make changes to its privacy policy to clarify how cookies are used on the site and to alter its marketing e-mail practices.

TIP: When implementing an e-mail marketing campaign, don’t forget about standard advertising requirements. In particular, think about whether consumers will understand the claims that you are making in the messages.

[Top]

C. Unauthorized Use of Singer’s Photo on Book Cover Violated Right of Publicity

Q-Boro Holdings, LLC and Urban Books, LLC were sued for violation of an individual’s right of privacy under New York law. Specifically, the individual claimed that the publishers used a photograph of her, without her consent, for the cover of its book, entitled Baby Doll. Although the individual did agree to have the pictures in question taken to promote her career as a singer and songwriter, she did not sign a release allowing the photographer or any other person to use her photograph. When, three years after sitting for the photos, she learned that her image appeared on the front cover of the book, she brought suit against the publishers. The publishers stated that they had a written agreement with photographer, in which the photographer certified that he had obtained the necessary release for the image and had acquired the right to use the photograph. Nevertheless, the court held that the publisher’s unauthorized use of the image on the front cover of the book violated her statutory right to privacy, and granted the permanent injunction against the publishers.

TIP: When purchasing photographs and images to include in your advertisements or products, which photographs include identifiable individuals, be sure to complete your own due diligence to confirm that the photographs do not violate the subject’s right of publicity.

[Top]

D. Magazine’s Publication of Photos from Internet Found Not to Breach Privacy

The UK’s Press Complaints Commission (“PCC”) recently rejected a claim from a woman that an article published in the magazine Loaded violated her right of privacy under the Editors’ Code of Practice. The article featured the woman’s name and a number of photographs of her taken from the Internet. Readers were offered a reward of £500 for assistance in encouraging her to do a photo shoot. Although the pictures had originally been posted to the woman’s page on Bebo (a social networking site), they had been taken from that site and distributed widely over the Internet by others. The magazine did not obtain the pictures from Bebo. The PCC said the case raised the important principle of the extent to which newspapers and magazines are able to make use of information that is already freely available online and found the test, therefore, was “whether the publication intruded into the complainant’s privacy, and the Code required the Commission to have regard to ‘the extent to which material is already in the public domain.’ In the Commission’s view, the information, in the same form as published in the magazine, was widely available to such an extent that its republication did not raise a breach of the Code.”

TIP: While some additional leeway and flexibility may be given to newspapers and magazines that reprint content found online, this case reminds companies to be careful when pulling and using content where no rights have been obtained from the photographer or the individual featured in the photographs.

[Top]

V. Liability Shields and Content Protection

A. Draft UK Code Aimed at Reducing Online Copyright Infringement

A proposed code of practice implementing legislative measures to reduce online copyright infringement was recently published in the UK as part of the Digital Economy Act 2010. The Act includes provisions aimed at curbing online copyright infringement in the UK, using a system policed by the Internet Service Providers. The Act is, in large part, dependent on the code, which has now been released in draft for comment, and is expected to go into force in early 2011. The draft sets out how and when ISPs will send notifications of claims to their subscribers that their accounts have been used for copyright infringement. At present it is envisaged that fixed-line ISPs with over 400,000 subscribers will be covered in the proposals. The draft code provides that ISPs must record the number of notifications sent to their subscribers and maintain an anonymized list of alleged serial copyright infringers. Copyright holders can then request information on this list and take legal proceedings to identify serial infringers and seek legal redress.

TIP: Once fully implemented through the passage of the code, the Act will provide shields for users’ copyright infringement in the UK similar to those which exists in the U.S. If your organization operates online forums where users can upload content, you may wish to participate and get involved as the code is being designed.

[Top]

B. Student’s Comment on Another’s Website May Proceed in Hate Crime Case

A 15-year-old high school student was pursuing a career in entertainment and maintained a Facebook page for that purpose. Several of his fellow students posted messages on his Facebook page, making derogatory comments about his perceived sexual orientation and threatening him with bodily harm. The aggrieved student and his parents filed suit against the other students and their parents, alleging a statutory claim under California‘s hate crimes laws. In response, one of the defendants filed a special motion to strike, contending that the action was a strategic lawsuit against public participation (“SLAPP”), and that the speech was protected under the First Amendment. The trial court denied the anti-SLAPP motion on the ground that the lawsuit did not arise out of a statement made in connection with a public issue. The appellate court affirmed, noting that the defendants had not demonstrated that the posted message was protected speech.

TIP: We are seeing a rise in cases where parties are debating the right to make postings on public forums. When encouraging others to use the forums on your behalf, carefully consider the types of liability that might arise as a result.

[Top]

C. Arbitration Clause in Comcast Contract Found Enforceable

A Tennessee court recently compelled arbitration based on a clause contained in a revision to Comcast’s subscriber agreement. In the suit that gave rise to the ruling, a customer alleged that Comcast had engaged in unauthorized billing. In response, Comcast sought to compel arbitration, based on an arbitration clause that was added as a part of its subscriber agreement. The arbitration provision was added by mailing the new provision to subscribers, and the provision provided customers 30 days to reject the change to the subscriber agreement. The plaintiff argued that the arbitration clause was unenforceable, because there was “no meeting of the minds,” since the plaintiff did not read the contract, because it constituted a contract of adhesion, because the provision was unconscionable, and because the provision contained a class action waiver. The court rejected each of these arguments, first noting that Congress has expressed a strong public policy favoring arbitration. The court then explained that Tennessee courts have consistently found that mailing amendments to consumer contracts is valid provided the party receiving the terms “has an opportunity to read them and unconditional right to cancel the contract if he is dissatisfied with the terms.” The court further noted that under Tennessee law, it is not necessary that the plaintiff actually read the provision or sign it for there to be a meeting of the minds. Finally, the court concluded that the arbitration provision was not a contract of adhesion because the plaintiff was provided with an opportunity to opt-out, the provision was not unconscionable because there is “nothing exception or unduly harsh” about the provision, and the majority of courts have rejected the argument that an arbitration provision is unconscionable because it waives the right to bring a class-action lawsuit.

TIP: Take care when drafting arbitration provisions or amending agreements to add new material terms. Because these provisions are frequently challenged, and the strength of these clauses may vary depending on the jurisdiction, it is important to ensure that consumers are adequately informed of any changes and have the opportunity to opt out and/or cease use of a product or service prior to the effective date of the change.

[Top]

VI. Data Breach and Data Security

A. LifeLock Settles False Advertising Case with FTC for $12 Million

The Federal Trade Commission recently settled a false advertising case for $12 million with LifeLock, Inc. which advertised, promoted, offered for sale, sold, or otherwise made available to consumers a service purportedly designed to prevent identity theft through placing fraud alerts on consumers’ credit reports on their behalf. The FTC alleged that the ID theft prevention service did not protect against all types of identity theft, including misuse of existing personal accounts or employment-related identity theft, did not prevent unauthorized changes to customers' address information, and did not ensure that a consumer would receive a telephone call from a potential creditor before a new account was opened in the consumer’s name. Additionally, the FTC stated that LifeLock failed to properly secure customers’ personal information that was obtained pursuant to subscribing to the ID theft prevention service, by failing to employ sufficient safety measures on its network that stores personal information and by failing to require employees, vendors, and others with access to the personal information to use hard-to-guess passwords or security measures. LifeLock will pay $11 million to the FTC and $1 million to a group of 35 state attorneys general to settle the case.

TIP: Companies should properly qualify their advertising claims. Companies should employ proper security measures when collecting and storing a consumer’s personal information on its servers.

[Top]

B. Mississippi Joins Other States in Enacting Breach Notification Law

Mississippi has joined multiple other states in requiring that companies notify impacted individuals in the event of a breach of their personally identifiable information. The law will not take effect, however, until July 1, 2011. Under the Mississippi law, companies can avoid notifying impacted individuals of a potential breach if, after investigation, the company “reasonably determines that the breach will not likely result in harm to the affected individuals.” The law otherwise mirrors the requirements in many other states, including the need to promptly notify individuals in the event of a breach. A violation of the law constitutes an unfair trade practice and will be enforced by the Mississippi Attorney General. However, the law expressly prohibits a private right of action.

TIP: The enactment of this latest breach notice law is a reminder that there is a tight time frame for notifying impacted individuals in the event companies determine a breach has occurred. You should thus ensure that your organization has a breach notice plan in place to address how to go about investigating – and notifying – in compliance with the various state requirements.
to get a discount off the price of attendance.

[Top]

VII. Financial Privacy

A. Washington State Gives Financial Institutions Rights for Retailers’ Data Breaches

Washington’s new data breach law has become the second in the nation that imposes liability on retailers who accept credit cards, namely, that those retailers may in certain circumstances be accountable to financial institutions for the certain costs associated with a data breach. Under the law, which will go into effect on July 1, 2010, if an entity that processes account information (like credit card information) fails to take “reasonable care” to protect against unauthorized access of the account information, and that failure “is found to be the proximate cause of the breach,” the entity will be “liable to the financial institution to mitigate potential current or future damages to its credit card and debit card holders that reside in the state of Washington as a consequence of the breach.” Companies are exempt from liability if the data was encrypted, or if they have been certified to be in compliance with the PCI Security Standards. This law is only the second of its kind, following a Minnesota law that was passed in 2007.

TIP: If you collect credit card data during the course of your business, take steps to ensure that the data you collect is encrypted and/or ensure that you are certified as compliant with the PCI Security Standards. These steps can help avoid liability under the new Washington law.

[Top]

B. Check Services Company Settles with Florida AG for Nearly $1 Million over Breach

The Florida Attorney General’s office recently announced that it would settle its enforcement action against Certegy Check Services Inc. The action had been brought based on Certegy’s alleged lax data security measures, which led to the breach of data on millions of individuals. Certegy is a special consumer reporting agency and maintains databases containing hundreds of millions of records relating to individual check-writing histories for provision of online, real-time check authorization, which includes personal information in connection with returned check collections, electronic check payments, and credit and debit card transactions. Certegy claimed that one of its former employees had stolen and sold up to 5.9 million records to a data broker, which included bank account information, credit card numbers and expiration dates, and consumer identifying information such as name, address, and telephone number. In addition to the $850,000 payment, the settlement required Certegy to pay for the State’s investigative costs and $125,000 to the AG’s “Seniors vs. Crime” education and crime prevention program. The company also agreed to maintain a comprehensive “Information Security Program” which would be assessed annually by an independent third-party assessor, and to comply with the Payment Card Industry Data Security Standards. Certegy had previously settled a class action suit based on the breach, in which it agreed to pay up to $4 million to members for reimbursement of out-of-pocket costs resulting from identity theft.

TIP: Companies should ensure that they have adequate security measures in place to protect sensitive financial data not only against unauthorized access by outside parties, but also by employees who may be tempted to use the data for nefarious purposes.

[Top]

C. FTC Again Delays Implementation of Red Flags Rule, Now Scheduled for 12/31/10

The FTC has again delayed the implementation of the Red Flags Rule, promulgated under the Fair Credit Reporting Act and intended to help protect against identity theft. The new implementation date is December 31, 2010. The delay appears to have been granted in order to give legislators more time to decide what entities should be covered and required to comply with the Rule. In particular, many industries have argued that the definition of a covered creditor is too broadly worded.

TIP: We will continue to monitor the status of the Red Flags Rule. In the meantime, companies who will be covered by the Rule have added time to ensure compliance.

[Top]

VIII. Workplace Privacy

A. Expectation of Privacy in Personal E-mails Stored on Company Computers

A recent decision by the Supreme Court of New Jersey held that an employee could reasonably expect privacy in her e-mails stored on her employer’s electronic resources when the e-mails involved attorney-client communication. The plaintiff, Ms. Stengart, a former executive of Loving Care Agency, exchanged e-mails with her personal attorney through a web-based e-mail account. After Stengart left Loving Care and accused it of unlawful discrimination, the company discovered the messages through a search of her work laptop. In its opinion, the New Jersey Supreme Court recognized an employee’s right to privacy in e-mails that were stored on a company-issued laptop in certain limited circumstances, such as when the e-mails were marked as privileged and sent using a personal, password-protected, web-based e-mail account. The court focused on the fact that Stengart plainly took steps to protect the privacy of her e-mails and to shield them from her employer, as she did not save the user ID or password for that account on company-issued equipment and she did not know that a duplicate of e-mail transmitted through a personal e-mail account would be saved in a temporary file on the company-issued laptop. The court ruled that Loving Care’s electronic communications policy, which ostensibly permitted the employer to access “all matters on the company’s media systems and services at any time,” did not convert Stengart’s e-mails with her attorney into the employer’s property. The court explained that even “a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications . . . would not be enforceable.” The court, however, emphasized the unique and customarily private nature of attorney-client communications, and contrasted attorney-client communications with those that are unlawful or otherwise violate company policy, which would not be protected.

TIP: Employers risk liability for reading employees’ e-mail exchanges with a personal attorney stored on company equipment, regardless of what the employers’ electronic resources policy states.

[Top]

 

B. Labor Union E-mail Campaign Did Not Violate the Computer Fraud and Abuse Act

In a recent federal district court case, a company alleged that a labor union undertook a targeted effort to sabotage and interrupt its business operations by “inundat[ing]” the company with mass quantities of phone calls and e-mails to inhibit its ability to conduct day-to-day business activities and to intimidate its employees. The company brought suit against the labor union, alleging a violation of the Computer Fraud and Abuse Act (“CFAA”). The labor union’s website featured a “call to action,” a pre-addressed, pre-typed e-mail voicing opposition to company’s termination of employees, which could be sent by users to the employer by clicking just a few buttons on the website. As a result of the union’s efforts, the company received a high volume of calls and e-mails, forcing the company to shut down some of their voice mail and e-mail services. The union also distributed flyers to encourage supporters to call the company and express their dissatisfaction with its practices. The court ruled that the labor union did not “access” employer’s computers in violation of the CFAA merely by sending e-mails and leaving voice mails because the messages in this case were sent directly from the organization’s website to the company. The court found that the facts of this case differed from an earlier federal court case that held that a bulk e-mail messaging campaign constituted access for purposes of the CFAA. The messages in the earlier case were sent through intermediary computers (the senders were reaching their targets by making use of third-party computers) whereas the messages in this case were sent directly from the organization’s website to the company.

TIP: While such campaigns may be both irritating and disruptive to business, the Computer Fraud and Abuse Act does not provide liability when a labor union or other organization encourages or facilitates third parties leaving voice mails or sending e-mails through the company’s systems. Companies should develop strategies for dealing with such bulk e-mail and voice-mail campaigns to avoid undue disruption of business.

[Top]

 

C. Company Liable for Improperly Accessing E-mails, But No Individual Liability

A federal district court held that certain individuals who read printouts of an employee’s personal e-mail that had been improperly accessed could not be held individually liable for violations of the Stored Communications Act (“SCA”), while the suit could proceed against the company, an affiliated company, and the company’s president who had accessed the e-mails. An employee, Mr. Markert, brought suit against his employer, an affiliated company, the employer-company’s president and other individuals affiliated with the company because the president of the company accessed and printed certain personal e-mails contained on Markert’s personal Gmail account. Markert had remotely accessed his personal e-mail inbox through his personal laptop, causing his personal e-mail inbox to appear on the screen of his work computer. The president of the company allegedly searched the Plaintiff’s personal e-mails through the work computer and gave printouts of the e-mails to other individuals connected to the company. Markert was subsequently terminated because the company president believed Markert was attempting to divert business from the company. Markert brought suit against the company, an affiliated company, the company president, and certain other individuals employed by or affiliated with the company, alleging that they had violated the SCA, which prohibits unauthorized access of electronic communications. The federal district court held that, while the SCA prohibits intentional unauthorized access to electronic communications in electronic storage, a person who only reads printouts of e-mail does not violate that law merely because the e-mails were “electronically stored at one point.” The court also dismissed a state invasion of privacy claim against the individuals who merely read the e-mails because “any cause of action that Plaintiff has for invasion of privacy would be against the person who invaded the privacy and subsequently disseminated the information,” not against a person who simply read printouts of the e-mail messages. As the individuals in question only read the printouts, and had not been involved with accessing them from Markert’s computer, the court concluded that the suit against those who just read the e-mails could not proceed. The suit, however, remains pending as to the employer itself, the affiliated company, and the company president.

TIP: Both employers and employees should be cautious when printing and storing sensitive personal e-mails at work. Further, employers and those individuals who access employee’s personal e-mails improperly may be subject to liability under the Stored Communications Act.

[Top]

IX. Healthcare Privacy

A. Prison Time for Hospital Worker Who Accessed Patients’ Medical Files

A California federal court judge sentenced a former employee of the UCLA Healthcare System to four months in prison for illegally accessing patients’ medical files. The former employee, Huping Zhou, previously had pleaded guilty to four misdemeanor counts alleging violations of the HIPAA privacy rule for accessing patients’ records without authorization. He reportedly is the second person in the U.S. sent to prison for violating the HIPAA provision. The facts of the plea agreement showed that defendant Zhou had accessed hundreds of medical records over a three-week period, including those of various celebrities and his supervisors, after he had received notice that UCLA intended to fire him for job-performance-related reasons unrelated to unauthorized access to health care records. The U.S. Attorney’s Office has said it has multiple other ongoing HIPAA privacy investigations involving UCLA and other major healthcare systems in California.

TIP: Be aware that violations of HIPAA for accessing patients’ health care records can result in misdemeanor criminal charges.

[Top]

B. Lawsuit Challenges Application of Red Flags Rule to Physicians

The American Medical Association (“AMA”) and other health care groups have filed a suit in the federal court in Washington, D.C. challenging the Federal Trade Commission’s application of its “red flags” rule to physicians. The FTC’s “red flags” rule requires creditors to monitor red flags, or warning signs, for possible identity theft. The term “creditors” is broadly defined by the FTC to include many types of organizations such as law firms, utility companies, automobile dealerships, and health care practices. The AMA and the other plaintiffs contend that the application of the “red flags” rules to physicians constitutes unjustified federal regulation of medicine, treating medical practices like banks, credit card companies, and mortgage lenders. The federal district court in Washington, D.C. previously barred the FTC from applying the “red flags” rule to attorneys, after a lawsuit was filed by the American Bar Association. That decision was appealed by the FTC. The AMA and other health care practice plaintiffs are seeking a similar result, contending the FTC’s actions are arbitrary, capricious, and contrary to the law. The plaintiffs are encouraging physicians to comply with the “red flags” rule while the litigation is pending, and the AMA has provided online resources to do so.

TIP: If you are a physician or part of a health care practice which may be subject to the FTC’s “red flags” rule, you should be aware that this lawsuit has not yet been resolved (although the FTC has agreed, generally, to delay enforcement of the Red Flags Rule until December 31, 2010 – see article.

[Top]

IX. International Privacy Issues

A. UK Personal Information Online Code of Practice

In December last year the UK’s Information Commissioner’s Office launched an online consultation for a new draft code of practice to provide organizations with a practical and common-sense approach to protecting individuals’ privacy online. The Information Commissioner has announced that following responses from over 200 organizations (including Winston & Strawn), the final code will be launched in July 2010. The new code will contain a better explanation of the interplay between it and the UK legislation, and include various explanations and a glossary of terms to make it user-friendly. Importantly, the Information Commissioner has revealed in the code that it takes the position that in many cases an IP address is sufficient to be classified as personal data. It is reported that the code will also deal with other important issues, including vulnerable users, children, and will contain extensive revisions to the guidance around online marketing.

TIP: We will continue to monitor the status of the code and keep clients apprised of its contents. Companies that operate in the UK should be aware that this code is coming, and that it should provide helpful clarification on how to handle personal information.

[Top]

B. French Data Protection Authority Scrutinizing Consumer Tracking Devices

Marketing companies are increasingly using video capture to measure audiences of advertising signs, and mobile phone tracking devices to measure the number of visitors to a particular location (such as a shopping mall or airport). In the case of the video capture on advertising signs, data is being collected in videos featuring people’s identifiable faces. In the case of the mobile phone tracking devices, the data transmitted by cell phones are technical, but can be traced to the client of a mobile phone service. Therefore, these data (faces of the people looking at a billboard and technical data transmitted by cell phones) are being viewed in France as personal data, since they can be used to identify persons. Because these systems capture personal data – even though the data are rendered anonymous immediately – the French Data Protection Authority (“CNIL”) has indicated that it believes that these operations are subject to the country’s 1978 Law on Information Technology and Liberties. CNIL will be monitoring these systems closely to verify they comply with the law, and recently demanded that operators of such systems post clear notices in places where they are used, which notices provide information on what the system is used for and identify the party that is collecting data. Interestingly, CNIL observed that, since anonymity is guaranteed by the non-disclosure of images to third parties or service providers and the irreversible encryption of technical information from telephones, the right to access, correct, or object to data under the 1978 law cannot be applied.

TIP: If you are considering using technology to track the viewership of your outdoor billboards, or technology to see how many people visit a particular location, and you plan to implement that technology in France, take care to ensure that you have suitable notice about the technology in the location where it will be used.

[Top]

 

If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:

Attorney Advertising Materials

These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.

Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).

© 2010. Winston & Strawn LLP