First Quarter 2008

In This Issue:

I. E-COMMERCE

I. E-COMMERCE

A. Online Retailer Settles with FTC Over Allegedly Deceptive Security Representations

Life is good, Inc. owns and operates a Web site at which it sells apparel and related accessories. As part of the sale of its goods, the company collects customers' names, addresses, credit card numbers, expiration dates, and credit card security codes. In its privacy policy, Life is good states that information collected is "kept in a secure file." According to the FTC, lifeisgood.com was attacked over a two-month period because of the company's failure to maintain reasonable and appropriate security measures. In particular, the FTC was concerned that contrary to Life is good's representations that it stored information in a secure file, it actually (1) stored the information in clearly readable text; (2) stored information indefinitely without any legitimate business reason; (3) failed to assess its site's vulnerability to common hacker attacks and did not use low-cost or free methods to protect against such attacks; (4) did not use common security measures to protect connections to its Web site; and (5) did not use methods designed to detect unauthorized access to its systems. On January 17, the FTC issued its proposed agreement and consent order, under which Life is good is required to create and implement a reasonable security program to protect the security of consumer information it collects and maintains. As part of the settlement, Life is good is to obtain biennial audits of its compliance with the security program, and must assign one or more employees to run the program. The audits are to be conducted by a qualified third-party professional.

TIP: If you collect personal data, especially sensitive data such as credit card information obtained over the Internet, the Life is good agreement can serve as a model for steps you can take to protect that information. These include: (1) identifying risks to data you collect and maintain, including with respect to employee training management, information systems, and prevention of external attacks; (2) designing reasonable safeguards to protect against attack or other risks identified in your assessment; (3) using third-party vendors who will protect information and executing agreements with those vendors that require them to protect information; and (4) conducting ongoing compliance checks to ensure protection of information and modifying practices as it becomes necessary.

[Top]

B. Internet Payday Lenders Settle With FTC Over Deceptive Advertising Claims

American Cash Market Inc., Anderson Payday Loans, and CashPro (d/b/a MakePaydayToday.com) have all agreed to settle charges with the Federal Trade Commission, which alleged that the companies did not disclose the annual percentage rate of their loans, in violation of the Truth in Lending Act and Regulation Z. All three of the companies offered individuals payday loans over their Internet Web sites, namely cash advance loans with high fees and short repayment periods. Although the companies disclosed the costs of the cash advances, they did not disclose the APR, and thus failed to allow consumers important information when comparison shopping for loans. The companies’ APRs ranged from 460 percent up to 780 percent.

TIP: If making financial disclosures in online advertising, ensure that you comply with all applicable regulations, such as Truth in Lending and Regulation Z.

[Top]

C. Marketers Settle with FTC/Florida AG Over Deceptive Online "Free" Offers

Member Source Media LLC, operator of the Web sites consumergain.com, premiumperks.com, freeretailrewards.com and greatamericangiveaways.com, recently settled with the FTC over allegations that the company had sent deceptive and misleading emails to consumers. In its e-mails, Member Source told consumers that they had won merchandise, when in fact the consumers had to purchase third-party products in order to receive the allegedly "free" products. As part of the settlement, the marketer agreed to pay $200,000 in civil penalties.

In a similar case, World Avenue USA recently settled with the Florida state Attorney General over allegations that it had deceptively advertised to consumers that they could get "free" laptop computers as well as other prizes and gifts. However, in order to get the laptops, consumers had to make purchases. As part of the settlement, the advertiser agreed to pay $1 million in civil penalties.

TIP: As always, be sure to include all material terms of an offer in the body of the offer, not merely in the legal "fine print." A product is only "free" (as opposed to "free with purchase") if the consumer does not have to make a purchase to get it.

[Top]

D. Online Furniture Retailer Sued by Florida for False Delivery Claims

An online furniture retailer, Elite Purchasing Group, was recently sued by the State of Florida for Deceptive Trade Practices. In the complaint, Florida alleged that the company falsely implied that it had a special relationship with manufacturers that would allow it to get furniture to consumers on a fast turnaround. In fact, according to the complaint, no special relationship existed, and the defendant often delivered items late, or not at all.

TIP: If you promote a special benefit to your services, make sure you can deliver on your claims.

[Top]

E. Forum Selection Clauses in Web sites' Terms of Use Enforceable

Two recent cases have upheld a Web site's broad forum selection clause as binding on users, based on the users' actual or constructive acceptance of the Web sites' terms. In one case, an online investor signed up for a day-trade service on defendant Chippas' Web site FuturesCom.com. The Chippas Web site terms of use stated that use of the Web site constituted agreement to the terms, and one of the terms was agreement to venue in Florida. The investor sued the Web site in the U.S. District Court for the Northern District of Texas. The court held that, absent a strong showing of fraud or unreasonableness, the online investor was bound by the forum selection clause included in the terms. The online investor had constructive knowledge of the clause because the Web site showed that the clause was on the Web site when the online investor accessed it.

In the other case, brought in the Northern District of California, a user seeking to register a domain name with Network Solutions affirmatively clicked on an online agreement which contained a forum selection clause with venue in the Eastern District of Virginia. The user brought suit in California, alleging that Network Solutions illegally published his account information online in violation of the Electronic Communications Privacy Act and various California Privacy Codes. The court held that the claim arose out of the user's status as the Web site's customer, thus implicating their contractual relationship. Therefore, the forum selection clause was enforceable.

TIP: Web site terms of use are often found to be binding on users, and companies should thus ensure not only that they have online terms for their Web sites, but that they include on those terms clauses that are favorable to the company, such as forum selection clauses.

[Top]

II. ONLINE PRIVACY

A. FTC Seeking Comment on Privacy Guidelines for Behavioral Advertising

The FTC has issued proposed privacy guidelines for those engaged in online behavioral advertising – the practice of tracking a Web site user's online habits in order to understand the user and target advertising to his or her interests. The principles were developed from comments the FTC received in November 2007 at a town hall discussion "Behavioral Advertising: Tracking, Targeting, and Technology." The principles include greater transparency of the tracking process, giving consumers control over whether their information is collected for tracking purposes, and limiting retention of tracked data.

In related news, the Interactive Advertising Bureau released new privacy guidelines it says are designed to give greater consumer choice. The IAB reports its guidelines as being more flexible than those of the FTC.

TIP: Those engaged in behavioral advertising should review the principles to determine if they make sense for their business models, and provide comments to the FTC on or before the extended deadline of April 11, 2008.

[Top]

B. MySpace, State AGs Enter Into Agreement to Increase Online Safety for Children

Forty-nine state attorneys general – with Texas as the lone state holdout – announced on January 14 that they had reached an agreement over online child safety on the popular social networking Web site. As part of the agreement, the parties issued a Joint Statement on Key Principles of Social Networking Site Safety, in which MySpace agreed to organize an industry-wide task force to study the issue of child safety on social networking Web sites. Principles included using Web site tools to protect children from inappropriate content and inappropriate adult contacts, and the education of parents, children, and teachers about online safety. MySpace also made modifications to its site to block users over 18 years of age from browsing those under 18 years of age, prohibiting users over 18 years of age from adding friends under 16 years of age unless the user knows the friend's last name or e-mail address, and prohibiting users under 18 years of age from accessing tobacco advertisements and those under 21 years of age from accessing alcohol advertisements. All users will now have the option to set their profiles to private, can approve comments before they are posted, and can conceal their "online now" status. MySpace will also be examining ways to strengthen the algorithm it uses to identify underage users in an effort to ensure that MySpace has no users under the age of 14. The Texas Attorney General did not sign the agreement for fear that it would give parents and children a false sense that children would be secure.

TIP: The attorneys general are encouraging other social networking Web sites to adopt the principles agreed upon by MySpace. If you operate a social networking Web site, or have sensitive content on your site that you wish to block from minors, you should review and consider the principles agreed upon by MySpace with your legal counsel to determine if they are appropriate for you.

[Top]

C. Sale of Unauthorized Photo Might Violate Privacy in West Virginia

A soldier who was identifiable in a photo on the cover of Killer Elite: The Inside Story of America’s Most Secret Special Operations Team, has sued the publisher, St. Martin’s Press; Amazon, which sells the book; Getty Images, which provided the photograph to St. Martin’s; and CafePress, which sells t-shirts imprinted with the soldier’s image. The soldier alleged in his complaint that these parties used his image without his consent, and the U.S. District Court for the Southern District of West Virginia declined to grant the defendants’ motion to dismiss. In so doing, the court concluded that the soldier’s right of privacy may have been violated; however, it dismissed the right of publicity claim. The court did indicate that in some instances a soldier might have such a claim if the soldier was found to be a public figure, but here the soldier failed to allege that he was a public figure (or even a soldier, according to the court’s ruling).

TIP: When obtaining a photograph from a third party, ensure that you have rights not only to the photograph, but also rights to feature the individuals who may be depicted in the photograph.

[Top]

D. Requiring Consumers to Receive Marketing Materials When Making Online Purchases Violates Alberta Law

The Office of the Information and Privacy Commissioner of Alberta, Canada brought an action against ticketmaster.ca regarding its information collection practices. According to the Office's report, a consumer when making a purchase on ticketmaster.ca could not complete his or her purchase unless he or she agreed to the following "by purchasing a ticket to this event, you are consenting to Ticketmaster sharing your e-mail address and other information with those involved in this event…and you are consenting to those involved in this event using your information to contact you by e-mail or other means to send you marketing or other messages…". The Office found that by requiring consumers to consent to use of information for marketing purposes, consumers were being required to consent to use of information for purposes beyond what was necessary to deliver the tickets, in violation of Alberta law.

TIP: Seek counsel when considering requiring consumers to agree to receive marketing messages in connection with an unrelated transaction. Merely because a person purchases a ticket from you, or enters a sweepstakes, does not mean that they should be considered to have "opted-in" for purpose of CAN-SPAM, or to have waived their rights under federal or state Do Not Call lists.

[Top]

III. DATA SECURITY

A. Student Loan Company Settles with FTC Over Lax Data Security Charges

Goal Financial, LLC, a student loan company that collects personal information when providing loans and other financial services, settled with the Federal Trade Commission in March over charges that security failures resulted in the unauthorized transfer of personal information about students to third parties. According to the FTC, Goal Financial’s practices violated the Safeguards Rule of the Gramm-Leach-Bliley Act, inasmuch as the company did not provide reasonable or appropriate methods for safeguarding consumer information, information that included individuals’ names, Social Security numbers, dates of birth, and employment information. Instead, the company did not assess risks to its electronic and paper files, did not adequately restrict employee access to files, did not have a security program in place, did not adequately train employees, and did not in many instances require contractors to protect the security and confidentiality of consumers’ information. As a result, employees improperly transferred the files of 7,000 individuals to third parties, and sold hard drives to the public that had not been adequately scrubbed of the sensitive personal data of 34,000 consumers. In addition to creating an appropriate security program, the company must obtain an independent audit of its safeguard measures every two years for the next ten years. The agreement will become final at the end of April, after a public comment period.

TIP: Whether or not your company provides financial services such that you are subject to the GLB Safeguards Rule, you should ensure that you have appropriate measures in place to protect consumer information your company might maintain, especially if that information is sensitive in nature.

[Top]

B. Texas Sues Over Failure to Properly Dispose of Sensitive Information

Citing identity theft, the Texas Attorney General sued a Pennsylvania physical therapy company for allegedly failing to properly dispose of sensitive medical and personal information. The lawsuit brought in Texas state court in January was filed against Select Physical Therapy Texas Limited Partnership, a company doing business in Texas with its headquarters in Alabama, and Select Medical Corporation, the parent company in Pennsylvania, alleging the companies "systematically" exposed patients to identity theft by throwing thousands of pieces of sensitive personal and medical information in the garbage including names, addresses, telephone numbers, Social Security numbers, copies of drivers' licenses, and credit card information. The Texas Attorney General alleged violations of Texas' Identity Theft Enforcement and Protection Act and seeks injunctive relief to prevent the defendants from disposing of these records without shredding them or otherwise making the data unreadable or undecipherable, as well as a court order requiring the defendants to adopt, implement, and maintain a comprehensive information security program. Fines of $500 for each unshredded record also are being sought along with additional penalties.

TIP: This case serves as another reminder to ensure you have proper safeguards in place when storing or disposing of individuals' sensitive information.

[Top]

C. California Expands Breach Notice Law to Medical Information

California's data breach law, which previously only covered financial records, has been expanded to include unencrypted medical information, including medical histories, information on mental or physical conditions or diagnoses, insurance policy or subscriber numbers, applications for insurance, and insurance claims histories and appeals. The law applies to state agencies and companies that do business in California, and requires companies to disclose any breach of security to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. "Personal information" is an individual's first name or initial and last name in combination with specific data elements like a Social Security number, driver's license number, or credit or debit card number. The law was passed in part to combat medical identity theft where stolen medical records can be used to submit fraudulent medical insurance claims and actual patient medical records are filled with false information. The law, California Assembly Bill 1298, is certain to add to the costs of managing medical records and is likely to result in the increased use of encryption for these records, especially on mobile devices such as laptops and PDAs.

TIP: Companies doing business in California who have encrypted personal and medical information need to make sure their security breach procedures are consistent with the new California law.

[Top]

D. New Jersey Online Dating Web Sites and Background Checks

Earlier this year, New Jersey enacted a law that requires online dating Web sites to either conduct background checks of its members, or to prominently disclose – on their registration sign-up pages – that they do not conduct such background checks. The law goes into effect in May, and was applauded by a grassroots consumer group, Safer Online Dating Alliance, which has been pushing for laws of this sort. According to SODA, consumers may incorrectly believe that part of the services offered by fee-based dating sites is background checks.

TIP: This law – intended to enhance the safety of online dating service users – reflects an increasing trend we have noticed in laws and advocacy groups seeking to protect online users. Companies that operate online companies that might be viewed as putting individuals at “risk,” especially when letting individuals communicate independently of one another, may wish to take stock of their security and screening measures.

[Top]

IV. EMPLOYEE PRIVACY

A. CFAA May Require Companies to Allege Specific Facts Regarding Loss

In a recent suit, Modis, Inc. alleged that a former employee used her authorized e-mail account to access a Modis database in order to copy and transfer private client information. This employee allegedly provided this information to her new employer, a competitor of Modis, in violation of this employee's employment contract. Modis sued the former employee for violation of the Computer Fraud and Abuse Act, as well as a number of other torts, alleging that the employee accessed a computer “without authorization” or “exceeded authorized access.” The employee moved to dismiss the CFAA claim on several grounds, including that she was authorized to access the database as part of her job. The U.S. District Court for the District of Connecticut noted that courts are split over how the terms “without authorization” and “exceeds authorized access” should be interpreted. The Court determined that it did not need to adopt an expansive or narrow interpretation of these terms, as the employment agreement clearly prohibited the access in question. The employee also argued that the Court should dismiss the CFAA claim for failure to properly allege damage or loss. The Court noted that the CFAA has a jurisdictional requirement of a "loss to 1 or more persons during any 1-year period…aggregating at least $5,000 in value." Modis alleged that the former employee's conduct caused harm in excess of $5,000, but failed to state any facts identifying the nature of the harm. The Court dismissed the CFAA claim for failing to provide notice to the defendants as to whether Modis is asserting losses based on response costs or lost revenue due to an interruption of service. The Court granted Modis an opportunity to replead, stating that "this case presents an instance where plaintiff is obliged to amplify its claim of jurisdictional loss with some factual allegations to render its claim plausible."

TIP: Companies should protect confidential information and/or trade secrets by restricting an employee’s access to only that information essential to his or her position. Companies also should consider utilizing contracts protecting sensitive proprietary information with explicit remedies for unauthorized copying or other misuse of confidential information. If an employee violates the CFAA through unauthorized access to company information, companies should take care to identify any loss or harm with sufficient specificity.

[Top]

B. Memorized Client List Not Protectable Trade Secret

Al Minor & Associates, an actuarial firm, employed Robert Martin as a pension analyst, but did not require him to sign an employment contract or noncompete agreement. While still employed by Al Minor, Martin organized his own company with the purpose of providing the same services as Al Minor. Martin resigned from Al Minor and, without taking any documents containing confidential information, successfully solicited Al Minor clients based on information that he memorized. Al Minor sued Martin under Ohio's version of the Uniform Trade Secrets Act ("UTSA"). The magistrate determined that Martin had misappropriated Al Minor's trade secret and specifically held that the fact that Martin solicited Al Minor's client from memory did not prevent the finding of a trade secret violation. Martin appealed, arguing that a memorized client list does not satisfy the definition of a trade secret. The Court of Appeals affirmed, and Martin appealed to the Supreme Court of Ohio. The Court affirmed the ruling, noting that more than 40 other states have adopted the UTSA in substantially the same form, and "the majority position is that memorized information can be the basis for a trade secret violation." The Court determined that the form of the information and the manner in which it is obtained are unimportant, and that "the information is protected by the UTSA, regardless of the manner, mode, or form in which it is stored—whether on paper, in a computer, in one's memory, or in any other medium."

TIP: Companies should protect confidential client information by restricting an employee’s access to only that information essential to his or her position. Companies should also consider utilizing contracts that explicitly and broadly identify client information as confidential trade secrets, and that contain non-compete provisions tailored to comply with state law.

[Top]

V. HEALTH AND FINANCIAL PRIVACY

A. Portions of Maine Prescription Privacy Law Found Unconstitutional

The Maine Prescription Privacy Law permits those who prescribe pharmaceuticals in Maine to assert confidentiality protection to prevent pharmaceutical companies from using the prescribing information for marketing purposes. In IMS Health Corp. v. Rowe, a federal district court in Maine recently held this provision of the law an unconstitutional restraint on commercial speech. The plaintiffs, prescription drug information intermediaries (PDIIs), paid pharmacies to transfer prescription information — in encrypted format including medication names, dosages, and prescriber names — and patient information — including birth years, genders, patient names, addresses, and health insurance information. PDIIs in turn sell this information to pharmaceutical companies, whose sales reps use the detailed, aggregated data to market more specifically to individual prescribers. In IMS Health Corp., the plaintiffs alleged that the Maine law violates the First Amendment to the U.S. Constitution by restricting speech, is void for vagueness, and violates the Commerce Clause. The court, in IMS Health Corp. found that the prescription information is commercial speech, the Maine law restricts such speech, and an intermediate scrutiny standard of review should be applied. In applying the intermediate scrutiny standard, the court concluded that all of the relevant factors weighed in favor of enjoining the application of the law. In so doing, the court relied, in part, on the decision by another federal district court, which was presented with a similar challenge to a New Hampshire prescription privacy law. The Maine court also determined that the opt-out provision for the prescribers — which the New Hampshire statute did not contain — made no "constitutional difference" in finding the law unconstitutional.

TIP: Pharma companies and others who prescribe pharmaceuticals need to make sure their marketing plans take into consideration ongoing state confidentiality law issues.

[Top]

B. FACT Act Violations Occur When Online Receipts Contain Expiration Dates

The Southern District of Florida recently held that 1-800-Flowers.com violated the FACT Act when the plaintiff printed an electronic receipt after making an online purchase, and that the receipt contained the plaintiff's credit card expiration date in violation of the FACT Act. In two separate cases, a federal judge in the U.S. District Court for the Central District of California held that a customer that received an electronically printed receipt containing the expiration date of his credit card may pursue a class action lawsuit on behalf of himself and other similarly situated consumers against a retailer for statutory damages for willful violations of the FACT Act. The FACT Act provides for statutory damages of not less than $100 or more than $1,000 for each willful violation. The California court held that because the available statutory damages are minimal, individual suits do not provide sufficient enforcement of the FACT Act.

TIP: Entities that provide receipts for credit card purchases must ensure that their equipment is programmed to meet the requirements of the FACT Act (which means that credit card expiration date cannot appear on the printable receipt).

[Top]

If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:

If you no longer wish to receive the Privacy and Technology Client Bulletin, please e-mail us at IPUpdate@winston.com or write us at Winston & Strawn LLP, Attention: Business Development Clerk, 35 W. Wacker Drive, Chicago, IL 60601.

These materials have been prepared by Winston & Strawn LLP for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.

Along with this Client Bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn LLP's Web site (www.winston.com).

Copyright © 2008. Winston & Strawn LLP.