First Quarter 2007

In This Issue:

I. ELECTRONIC COMMUNICATIONS

I. ELECTRONIC COMMUNICATIONS

A. First Class Action Settlement in Cell Phone Spam Case

Distributive Networks LLC, a wireless content and technology company, was sued by a class of approximately 1,000 consumers who allegedly received unwanted text messages encouraging the consumers to subscribe to Distributive's services. The case was brought in mid-2006 under the Telephone Consumer Protection Act, which prohibits sending text message advertisements (messages that encourage recipient to purchase a product or service) if the sender has not first obtained prior express consent. Distributive agreed to settle, and as part of the settlement, is to pay $150,000. This amount includes a $150 payment to each member in the class. While Distributive did not admit fault, it did indicate that two of its affiliates were abusing Distributive's text message rules, as well as the rules of carriers who sent the messages.

TIP: As text message advertising becomes more popular, it is imperative that companies keep in mind the very stringent laws that govern the practice, including not only the Telephone Consumer Protection Act, the basis of this case, but also the CAN-SPAM Act, which also regulates the practice.

[Top]

B. Illinois AG Files First Cell Phone Spam Case

Illinois Attorney General Lisa Madigan brought suit against C & C Global Enterprises LLC, a Florida-based resort properties corporation. The suit alleges that the company sent millions of unsolicited text messages telling recipients "we have someone interested in buying or renting your time share." Recipients were then directed to C & C Global's Web sites (webuyresorts.com and resortreseller.com), where, the suit alleged, if consumers went through the online process, they were charged fees, but never provided with the necessary paperwork enabling them to complete the listing. Madigan indicated that her office received about 250 complaints, all relating to the unsolicited text message campaign. The suit was brought in January under the Illinois Consumer Fraud Act, as well as the federal Telephone Consumer Protection Act, and seeks both an injunction as well as a $50,000 civil penalty.

TIP: Another case reminding companies to be cognizant of laws that regulate sending text message advertisements. In particular, at issue in this case was the TCPA prohibition on using automatic telephone dialing systems to send unsolicited, non-emergency text messages to cellular phones where the recipient is charged to receive the message. Other restrictions on text message advertising exist, companies should thus use caution before engaging in the practice.

[Top]

C. Internet Marketer Settles with FTC for Messages Seny by Affiliates

Under the CAN-SPAM Act, companies that send e-mail messages that contain sexually explicit material must put the phrase "SEXUALLY EXPLICIT" in the subject line, and must also ensure that the message area that is immediately viewable contains no sexually graphic images. TJ Web Productions, an operator of adult Web sites, promotes its sites through an affiliate program that pays other sites to direct traffic to TJ Web. Many of TJ Web's affiliates send blast messages that include sexually explicit pictures that link to TJ Web's sites. According to the FTC complaint, TJ Web induced its affiliates to send these messages, through both monetary and other consideration. As a result, the FTC viewed TJ Web as an "initiator" of the messages, as well as a sender, since the messages included advertising for TJ Web's sites. As part of its settlement with the FTC, TJ Web agreed to pay a civil penalty of $465,000.

TIP: This case helps define when a company will be viewed as the "sender" of an e-mail message.  In particular, when, as in this case, the company is offering third-party incentives to send the message, and the message includes company advertising, the company will be viewed as a sender.  Companies should thus ensure that third parties who send advertising messages on their behalf conform to the CAN-SPAM Act requirements.

[Top]

II. DATA SECURITY AND BREACHES

A. Sony Settles Suit Alleging Its Anti-Copying Software Made Consumers' Computers Vulnerable to Hackers

In a complaint filed by the California Attorney General, Sony was alleged to have sold almost one million CDs with software that limited a user's ability to copy music. The packaging in which the software was sold did not disclose that the anti-copying software was included, and when the CDs were inserted into the computers, there was no disclosure that the software was being loaded onto their machines. The software also appears to have made consumers' computers more vulnerable to hacking, and computers were damaged when consumers attempted to uninstall the software. In addition, the Sony CDs contained software that allowed Sony to communicate with the consumers' computers through the Internet and send advertisements about particular musical artists. Sony agreed earlier this month as part of the California settlement to provide $175 refunds to consumers who attempted to repair their machines. Similar agreements were reached late last year with Texas and Massachusetts.

TIP: If selling software on CD-ROMs or DVDs, all material functionality of the software should be clearly disclosed on the packaging, especially functionality that might impact the operation of consumers' existing hardware and software.

[Top]

B. Chicago Election Board Sued for Breach of Voters' SSNs

In a complaint filed on January 22, a Chicago aldermanic candidate sued the Chicago Board of Election Commissioners in both state and federal court for allegedly providing him with not only general contact information on registered voters’, but also those voters social security numbers. The information was provided in electronic format, and according to Peter Zelchenko, the plaintiff, it was a "perfect software package for widespread identity theft." Zelchenko alleged that the Board violated the Illinois data breach notification law, as well as violating voters' general right of privacy. Zelchenko indicated that he first told the Board of the problem in August, but alleges in his complaint that he received another disk with social security numbers in December.

TIP: If you do not already have a system in place for quickly responding to data breach problems, you should put one in place as quickly as feasible.

[Top]

C. Bush Signs Telephone Records and Privacy Protection Act of 2006

The Telephone Records and Privacy Protection Act of 2006 creates a criminal penalty for fraudulently obtaining another person's telephone records. The Act was passed in the wake of the highly publicized Hewlett-Packard case, where the company hired an investigator to determine the source of board leaks. The investigator used pretexting — calling a phone company impersonating the consumer to obtain personal phone records — to get phone numbers of board members and reporters. Under the new act, such practice is illegal, as is the practice of accessing consumers' call data through the Internet.

TIP: If engaging a third party for telemarketing or research services, ensure that your vendor does not employ pretexting to obtain data.

[Top]

D. Bush Signs First Federal Data Breach Notification Law — Applies Only to Veterans' Information

The first federal data breach notification law, signed into law at the end of 2006, is not as broad as some had hoped. The law responds to the widely reported theft of more than 25 million active and retired veterans' personal data from the U.S. Department of Veterans Affairs. The new law requires that the agency notify veterans in the event of a breach of their personal data.

TIP: While not broad in scope, this law is the first federal data breach notification law, joining 34 state breach notification laws. The state laws have broader applicability, requiring companies to notify consumers in many instances if personal data maintained by the company has been compromised. It is quite likely that we will see a federal, broadly applicable, data breach notification law passed in 2007. If you maintain personal information for consumers (or employees), you should have a breach notification plan in place, if not already done so.

[Top]

III. SOFTWARE AND TECHNOLOGY

A. Distributing Multiple Copies under Single-User Subscription May Constitute Both Copyright Infringement and Computer Fraud

NBTY, Inc., a nutritional-supplement company, purchased a license from Therapeutic Research Faculty, a company providing drug therapy information and advice, which also owns and operates a database containing drug therapy information. NBTY obtained a single-user license to the Therapeutic Research information database, allowing only one user to access the information. NBTY was accused by Therapeutic Research of distributing the access information to multiple NBTY employees. The Eastern District of California found that Therapeutic Research's allegations were sufficient to state a claim, and declined to grant NBTY's motion to dismiss.

TIP: Often software licenses are limited to only a specific number of users. Ensure that you obtain licenses sufficient to cover all users who may wish to access the database or software in question.

[Top]

B. Automatic Copying of Web Site May Bind User to Online Terms

In a case brought before the District Court for the District of Colorado, Internet Archive was accused of having breached profane-justice.org's online terms. Internet Archive uses technology to capture and store old versions of web sites and make them available to the public in what it calls its "Wayback Machine." The profane-justice.org’s online terms indicated that if anyone copied or distributed anything from the site, they would be entering into a binding contract with the site operator, Suzanne Shell. The online terms provided that each page copied by a user was subject to a $5,000 fee, and granted Shell $250,000 for each instance of unauthorized copying. In moving to dismiss the case, Internet Archive argued that it had not entered into a contract, because only technological means were used to view and copy profane-justice.org's pages. The court found that this was a question of fact, and rejected the motion to dismiss.

TIP: If creating web sites or other archives using third-party content, take care when developing your product to ensure that you have taken measures to obtain the rights to that content, or are otherwise confident that the content is available for use.

[Top]

IV. WEBSITE PRIVACY

A. Communications Decency Act Provides Immunity to Suit Against Yahoo

Mark Bates, a Yahoo! user, is alleged to have hosted an e-forum on the site called the "Candyman" group. Bates was imprisoned for his involvement in the e-group, where illegal child pornography was hosted. Parents, on behalf of their children, brought suit anonymously against Yahoo! for negligence, infliction of emotional distress, invasion of privacy, and civil conspiracy. The Eastern District of Texas dismissed the case, finding that the Communications Decency Act (CDA) provides Internet service providers (ISPs) immunity from all private civil liability for content posted by a third party, such as their users. The court did not find persuasive plaintiffs' argument that Yahoo! profited from the e-group through its advertising revenue, stating that Congress chose to immunize ISPs such as Yahoo! — which hosts millions of e-groups — to avoid the chilling effect the threat of litigation would bring.

TIP: Keep in mind if you are providing Internet users with the ability to use interactive online forums, such as a chats or blogs, that the CDA provides you, the ISP, with immunity from civil claims that ISP actions have violated criminal laws. The CDA can thus be used as a shield by ISPs in tight situations.

[Top]

B. CDA Provides Immunity to MySpace

In February 2007 the Western District of Texas found that MySpace Inc. was immune under the Communication Decency Act from claims that it had been negligent in its protection of site users from child predators. The case was brought by a mother whose daughter was victimized by an online predator she "met" on MySpace (the child obtained the account by lying to MySpace about her age). The court found that the CDA protects interactive computer services from liability for the third-party content they publish on their sites. MySpace was found to be an interactive service provider, and the child predator was an "information content provider" submitting content to MySpace, as that term is defined by CDA.

TIP: This case is another example where the CDA was used as a shield by online service providers in a sticky situation.

[Top]

C. State Constitution Gives Users Online Privacy Rights

In 2004 Comcast received a subpoena ordering it to provide to a New Jersey police department information about one of its users. Comcast responded to the subpoena, and provided the requested information. The subpoena was subsequently found to be defective, and the question then arose whether the Comcast user had a constitutionally protected privacy interest in the information that was obtained. The court found that New Jersey state privacy protections were more expansive than those afforded under the Fourth Amendment, and concluded that the Comcast user had a reasonable expectation of privacy in her ISP account with Comcast. She had used an anonymous I.P. address in connection with her account, and the court concluded she thus clearly chose to be anonymous. As a result, the information obtained from the subpoena was properly suppressed.

TIP: When determining whether to release personally identifiable information you may maintain, keep in mind that many states have laws that may protect the identities of those users. Consider managing users' expectations so that, for example, they do not have the same expectation of privacy that the user had in this case.

[Top]

V. WORKPLACE AND INSTITUTIONAL PRIVACY

A. Reasonable Suspicion of Employee Misconduct May Not Justify Employer's Request for Polygraph Test

Michael Schiro was employed by Southern Printing. Suspecting Schiro of willfully sabotaging company property, Southern asked him to take a polygraph test. Schiro refused the test and was later terminated. Schiro sued for violation of the Employee Polygraph Protection Act. In late January, 2007, the U.S. District Court for the Middle District of Florida held that it was up to a jury to determine whether: (1) Schiro was terminated because he refused to take the polygraph test; and (2) whether it was illegal for Southern to ask him to take the test given Southern's purported “reasonable suspicion” that Schiro engaged in sabotage.

TIP: Exercise extreme caution when contemplating polygraph tests of employees. Even suggesting a polygraph test may be deemed a privacy violation. You do not want a jury second guessing your justifications for requesting an examination.

[Top]

B. Potential Good News For Employers Who Provide Internet Access to Their Employees

Cameron Moore sent threatening e-mails and Internet bulletin board postings from his work computer. The recipient of the threats sued Moore and his employer, Agilent. Plaintiff alleged that the threats were created solely by Moore, but that Agilent was responsible because the messages were sent using the computer system that it provided. The California Court of Appeal for the Sixth District held in December 2006 that Agilent was immune from damages resulting from its employee’s tortious use of company email and web access under the Communications Decency Act. The court found that Agilent was protected by the CDA because: (1) Agilent was a provider or interactive computer services; (2) the cause of action treated Agilent as a publisher/speaker of information; and (3) the content at issue was provided by another content information provider. Although the CDA is silent as to the definition of provider, the court found that like libraries that provide web access and Web site operators, Agilent and similarly situated corporations are “providers” and are protected under the CDA. The California Supreme Court declined review of this case in late February 2007.

TIP: Although this case is a positive development for employers, it is important to remember that the California court is the first to apply the CDA so broadly. Employers must continue to walk a fine line between protecting employee privacy and protecting the company from tortious employee actions.

[Top]

B. Puget Sound Energy Fined $995,000 for Releasing Customer Information

Under a five-year old marketing program, Puget Sound Energy transferred 65,000 calls to a third-party marketing company, Allconnect Inc., and sent basic information about customers to that entity. Customers' prior written permission was not obtained, in violation of Washington Utilities and Transportation Commission's regulations. The case initially settled with just the commission, but later the state attorney general's office joined into the negotiations, and the fine increased to $995,000. The marketing program has also been suspended, and Puget Sound was required to notify customers about the violation.

TIP: If doing business in a regulated industry, be sure you know of all privacy protection laws that apply. If doing business with an entity in a regulated industry, be sure that it is aware of and in compliance with all privacy protection laws that apply to it.

[Top]

VI. FINANCIAL PRIVACY

A. Gramm-Leach-Bliley Act Privacy Protection Extends to Certain Employee Benefits Trustees

The United States Court of Appeals for the Third Circuit held that the privacy protections of the Gramm-Leach-Bliley Act extends to a financial institution that acts as the trustee for a voluntary employees' beneficiary association. Community Trust Company, a state-chartered trust company, is the trustee of a VEBA trust. CTC accepts deposits, invests them in a money market account, and remits payments of the premiums to insurance companies for individual employees' policy premiums. Each participant in the VEBA trust executed a limited power of attorney for the VEBA trust to act on his or her behalf. In order to afford the VEBA trust with GLB Act privacy protections, the Court found that the VEBA trust was a "consumer," as defined by the GLB Act. The Court reasoned that the VEBA trust, because of the limited power of attorney, was the legal representative of individuals who obtain products or services from a financial institution. Accordingly, CTC, the trustee, was entitled to GLB Act privacy protections. In addition, the Court held that before a governmental entity could claim an exemption from the GLB Act for a properly authorized subpoena or summons, the governmental agency must establish that it has jurisdiction to issue to the subpoena.

TIP: A financial institution should identify any VEBA trust for which it serves as trustee and determine whether each VEBA trust would be deemed a consumer under the GLB Act.

[Top]

B. United Kingdom Financial Regulators Fine Nationwide Building Security $1.9 Million

In what has been reported as the first fine of a financial institution in the United Kingdom (UK) for security violations, the UK's Financial Services Authority fined Nationwide Building Society, a mortgage lending and banking services company after a laptop was stolen from a Nationwide employees' home. The laptop is alleged to have contained confidential client information. Although Nationwide has indicated that customers have not been damaged, FSA nevertheless imposed a major fine, stating in its February 14 notice to Nationwide that it viewed as very serious any data security failures in the banking sector.

TIP: This case demonstrates governmental concern with data breach incidents, and underscores the importance of having mechanisms in place to protect sensitive data.

[Top]

VII. GLOBAL PRIVACY ISSUES

A. The French Data Authority Warns ISPs of Security Breaches During Personal Data Transfer

On January 4, 2007, the French Data Protection Authority (CNIL) issued a public warning to Free SAS for having erroneously transferred the unlisted phone numbers of more than 120,000 clients to third-party operators of web-based and phone-based directory services. Indeed, between May 3 and June 2, 2006, the CNIL received many complaints from individuals regarding the publication of their unlisted phone numbers in electronic directories. Like all ISPs, Free SAS has the obligation to put at the disposal of universal directory editors and directory information services providers the personal data of their clients who did not refuse that their personal data be made public (in compliance with the provisions of articles L.33-1 and L.34 of the French Postal and Electronic Communications Code).

In the present case, the CNIL accepted Free SAS's explanation and decided not to fine or issue other sanctions against Free SAS since the latter has explained that (i) this contentious transmission — that resulted from a programming error, which erroneously integrated the unlisted phone numbers instead of excluding them — was now corrected and (ii) reinforced the security technical arrangements relating to files accessible to directory editors and the directory information services providers.

TIP: Any transmission of personal data by ISPs must be implemented with tight security in order to meet the French data protection standards. For such purpose, it is widely recommended that ISPs rely on any applicable CNIL-issued guidelines/or guides.

[Top]

B. Biometrics: French Officials Warning

The French Data Protection Authority (CNIL), in an official statement dated January 5, 2007, underlined the need to request prior authorization for each and any planned use of biometric technology in computerized identity control systems. Failure to seek prior approval for biometric identity control operations is punishable by up to five years imprisonment and fines of up to €300,000 ($390,822).

Recently, certain companies marketing biometric technology in the form of fingerprint(s) recognition systems pretended to have received a "CNIL label" or a "CNIL approval". CNIL condemned this practice, an in its January 5 statement reminded the companies that none of the biometric technologies is "CNIL approved" or "CNIL compliant."

CNIL has authorized a number of biometric-based identity control systems to benefit from reduced formalities according to its single-authorization system. Indeed, for situations that pose little threat to personal privacy, such as the use of handprint readers for access to school or workplace cafeterias, the CNIL has established framework decisions. In those cases, process compliance with those decisions allows the sending of a simple declaration of conformity to the CNIL, which can be done on the agency's Web site.

TIP: If you consider using any biometric technology in computerized identity control systems in France, you should first request the CNIL authorization. A request form with the full CNIL warning is available (in French) here.

[Top]

C. Italy: A New Regulation Relative to Data Retention

On February 6, Italy's Council of Ministers issued a new decree (Decree 21A-2007) to specifically regulate the duration of personal digital data retention, mostly when they are indirectly collected (e.g. electronic images recorded by surveillance cameras or digital data collected by retailers).

The common maximum period of retention for data is 18 months unless the individual agrees otherwise. The text adds that an individual's approval may be expressly given or indirectly deduced from his behavior (e.g. ongoing business relationship with one's bank or insurance company).

TIP: Even if your digital data retention process complies with the U.S. laws, make sure that you comply with specific local privacy laws when necessary.

[Top]

If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:

If you no longer wish to receive the Privacy and Technology Client Bulletin, please e-mail us at IPUpdate@winston.com or write us at Winston & Strawn LLP, Attention: Business Development Clerk, 35 W. Wacker Drive, Chicago, IL 60601.

These materials have been prepared by Winston & Strawn LLP for informational purposes only and are not legal advice. Receipt of this information does not create an attorney-client relationship.

Along with this Client Bulletin , a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications Library section of Winston & Strawn LLP's website (www.winston.com).

Copyright © 2007. Winston & Strawn LLP.