First Quarter 2009

In This Issue:

I. E-COMMERCE

I. E-COMMERCE

A. Electronics Retailer Criticized for Paying Consumers to Write Favorable Reviews

In what is alleged to be a random and unauthorized incident, an online advertising representative for a major electronics retailer was found to be offering to pay consumers to post favorable reviews on sales sites such as Amazon.com. Whether this practice is legal in the United States has been debated, and may be addressed if the FTC updates its Endorsement Guides. Absent clear direction, the bad publicity the retailer received suggests that it is not looked upon favorably by consumers.

TIP: Companies should avoid programs where consumers are provided with monetary rewards to post anonymous, favorable product reviews on neutral third- party Web sites, as the practice may be deemed false and deceptive. Companies that do use consumer testimonials or endorsements should follow the FTC's Endorsements Guides, which we expect may be revised in the near future.

[Top]

B. Warcraft Bot Violates DMCA Anti-Circumvention Provisions Even Without Copyright Infringement

An Arizona judge recently ruled that a bot engineered to avoid detection by the World of Warcraft anti-bot detection mechanisms violated sections 1201(a)(2) and 1201(b)(1) of the Digital Millennium Copyright Act. Section 1201(a)(2) prohibits the manufacture, import, or offer to the public of any technology or service that is designed or produced to circumvent a technological measure that controls access to a protected work while section 1201(b)(1) prohibits the circumvention of a technological measure that effectively protects the rights of a copyright owner in a copyrighted work. The bot, Glider, designed by MDY Industries was designed to avoid detection by the World of Warcraft's anti-bot detection device Warden, and by doing so allowed users to play the game while away from their computers; Glider is not used to extract any copyrighted material from the Warcraft game. Finding that Warden controlled access to the game's dynamic non-literal elements, the interactive Warcraft world, Glider violated the DMCA by avoiding detection by Warden, which scanned the computer of every user that accessed those elements. The judge did not find any DMCA violations with respect to the elements that could be accessed from the user's hard drive without connection to the Warcraft server and without engagement with Warden.

TIP: The DMCA prevents any technological product or service that is designed to circumvent measures that protect access to and the rights surrounding copyrighted work. A product or service does not have to actually violate any copyrights in order to violate portions of the DMCA.

[Top]

C. Company President Personally Liable for Company's Purchase of Counterfeit Software

The president of Ram Distribution LLC was recently sued for vicarious and contributory copyright and trademark infringement when he purchased counterfeit software through the secondary market. The software owner alerted Mr. Boldin of the infringement, however he continued to purchase the cut-rate software, which resulted in the software owner suing Ram Distribution and Mr. Boldin for trademark and copyright infringement. To be held vicariously liable for copyright and trademark infringement, the plaintiff must establish that the defendant had a direct financial interest in the infringing activity and had both the right and the ability to control the infringement activity. To be held liable for contributory infringement, the plaintiff must prove that the defendant induced or materially contributed to the infringing conduct of another. In this case, Ram Distribution's president had a direct financial interest in the purchase of the software to resell to consumers, and he continued to purchase counterfeit software after being warned by the software owner. Although Mr. Boldin did not participate in the daily ordering of the software, he received numerous warnings. The software owner thus successfully proved to the court during summary judgment if Ram Distribution was liable for infringement, then Boldin was vicariously and contributorily liable as a matter of law.

TIP: Company executives should exercise care when selecting products for purchase by their companies. Software, in particular, is protected under copyright as well as trademark laws, and software companies have been aggressive in protecting their rights. If corporate executives are found to have a direct financial interest and have the right and ability to control such activity, they—and not just their companies—could be held liable for any infringement.

[Top]

D. Video Sharing Service Not Liable for Material Uploaded by Third Parties

The District Court for the Northern District of California held that Defendant Veoh, a video sharing service similar to YouTube, was protected by "safe harbors" under the Digital Millennium Copyright Act (DMCA) and not liable for copyright infringement for material uploaded to its Web site. The DMCA shields online service providers from liability for copyright infringement by the reason of storage at the direction of a user. The court held the following functions qualified for DMCA protections because they were directed toward providing access to material stored at the direction of users: 1) the automatic creation of "Flash-formatted" copies of video files uploaded by users; 2) automatic creation of copies of the uploaded video files, composed of smaller sized "chunks" of the original file; 3) allowing streaming access to uploaded videos; and 4) allowing users to download whole video files uploaded by other users providing access to infringing material stored at the direction of users and for activity using the uploaded material. The court interpreted the DMCA protections broadly to apply not only to the storage of uploaded content, but also to functions that facilitate access to material uploaded by users.

TIP: Service providers can qualify for DMCA protections not only when they allow users to simply upload and display material, but also where they allow and facilitate access to the materials by other users.

[Top]

E. Search Engines Immune for Third-Party Content

Internet search engines were found to be immune from liability for advertisements purchased by illegal gambling Web sites under Section 230 of the Communications Decency Act (CDA). The CDA states that providers of interactive computer services are not liable for content made available by a third party. The Superior Court of California found that the fact that search engines required third-party advertisers to comply with editorial guidelines did not transform the search engines into content providers. The fact that the search engines were making money from the illegal gambling ads was also found to have no effect on the application of the CDA immunity.

TIP: Even if you supply editorial guidelines for third-party contact, CDA may likely provide immunity to your Web site for third-party content which violates third party rights.

[Top]

F. French Court Finds Terms of Use Clauses "Illicit or Abusive"

In an Oct. 28, 2008 judgment, the Paris Court of First Instance ruled that 18 clauses in Amazon.fr's terms and conditions were "illicit or abusive." The "illicit or abusive" clauses were found throughout the terms and conditions, including in the general sales conditions, the conditions for the protection of private data, and conditions for participation in Market Place Amazon. Notably, the court invalidated clauses in which Amazon disclaimed responsibility for content provided by customers, and held Amazon responsible for content when it provides the means for customers to review products. The court also invalidated clauses in which Amazon informs customers that it can use their personal data for promotional purposes, or furnish it to third parties, which the court found to be in violation of French data privacy laws for acquiring consent. Finally, the court rejected a clause specifying that Luxembourg law applied to the site, finding that even though the company operating the site may be located outside of France, "It is not possible to deprive a consumer living in France from resorting to French law."

TIP: If a company operates a Web site that serves customers outside in France, it should have its terms and conditions reviewed to ensure that they are compliant with French law, particularly where the Web site contains user-generated content or collects personal data.

[Top]

II. ONLINE AND CONSUMER PRIVACY

A. FTC Report Recommends Self-Regulation for Behavioral Advertising

In December 2007, the FTC sought comment on proposed behavioral advertising principles, which would have required companies to give consumers a choice as to whether information they submitted online was used for behavioral advertising purposes. After reviewing the comments, the FTC has recently decided that self-regulation is the appropriate method for protecting consumers—for now. The report cautions that the industry will need to strengthen existing self-regulatory programs to include "meaningful" enforcement. The FTC also indicates in its report that where appropriate, it will bring investigations under the Deceptive Trade Practices Act to the extent that companies are engaging in what it views as unfair or deceptive behavioral advertising practices.

TIP: The February 2009 report on behavioral advertising outlines for online advertisers some activities that the FTC may view as unfair or deceptive, in violation of the Deceptive Trade Practices Act. Although no guidelines for online or behavioral advertising have been put forth by the FTC, companies should nevertheless exercise caution when engaging in such activities, as the FTC will likely give increased scrutiny to these behaviors over the coming year.

[Top]

B. Task Force That Includes Leading Social Networks Issues Final Report

As we reported in January 2008, 49 states reached a settlement with MySpace regarding protection of children on the Internet. As part of the settlement, MySpace agreed to lead a task force of online social networks and states attorneys general that would study safety of children in social networking Web sites and develop guidelines and mechanisms for keeping children safe in such environments. This month the task force, directed by Harvard Law School's Berkman Center for Internet & Society, and called the Internet Safety Technical Task Force, issued its final report, noting that the best solution for protecting children online consists of a combination of technical solutions, education, parental oversight, law enforcement, and "sound" policies from social networking Web sites.

TIP: Web sites that offer social networking features should keep in mind that the FTC, other enforcement bodies, and child advocates view such features as inherently appealing to children. As such, sites should ensure that they have taken proper measures to comply with laws, such as COPPA, as well as considering guidance like those put out by the Internet Safety Technical Task Force.

[Top]

C. Personal Data May Now Be Transferred from Switzerland to the U.S.

The Swiss Data Protection Authority recently announced that it would allow the transfer of personal information from Switzerland to the United States under a scheme similar to the exporting of data from EU Member States (which Switzerland is not) to the United States. The new US-Swiss Safe Harbor Framework will allow companies that register with the U.S. Department of Commerce, and self-certify that they comply with the principles contained in the framework, to transfer personal data between the U.S. and Switzerland. Prior to this agreement, companies had to obtain the Swiss DPA's approval before conducting any transfers.

TIP: Under the framework, there is a new option for the transfer of data from Switzerland to the United States

[Top]

D. FTC Announces $1 Million COPPA Settlement

On Dec. 11, 2008, the FTC announced that it had settled a COPPA complaint brought against Sony BMG Music Entertainment. In its complaint, the FTC alleged that Sony BMG was not obtaining parental consent prior to collecting personally identifiable information online from children younger than age 13. According to the FTC's complaint, during registration on some of Sony BMG's sites, the company asked users to provide their age, but allowed users younger than age 13 to register without Sony BMG first obtaining verifiable parental consent. In some instances, the FTC alleged, users younger than age 13 could create profiles and interact with other users, including adults. The settlement included payment of a $1 million civil penalty and deletion of all information collected from children younger than age 13 in violation of COPPA. The FTC also alleged that the company's actions constituted a violation of the Deceptive Trade Practices Act, inasmuch as the privacy policy indicated that the company would restrict children younger than age 13 from participating in the Web site's activities.

TIP: In its press release, the FTC reminded companies operating social networking Web sites not to collect personal information from children without first getting parental consent. If you operate a social networking site, ensure that your practices are in compliance with COPPA and do not run afoul of the Deceptive Trade Practices Act.

[Top]

E. ISPs Sued for Monitoring Computer Use for Advertising Purposes

A class action lawsuit was recently filed in California against NebuAd Inc. and six Internet service providers for allegedly failing to provide adequate notice and opt-in opportunities before disclosing sensitive and personally identifying information through the use of deep packet inspection (DPI). DPI technology facilitates the review of the contents of Internet transmissions, and can be used for targeting advertising to specific users based on the information revealed. In the suit, the plaintiffs are alleging that six Internet service providers allowed NebuAd to place a DPI interception device into their networks. According to the complaint, the device associates the information it reads with both the IP addresses and the personally identifying information of the users. This information is then used to facilitate NebuAd's advertising model. The plaintiffs allege that this use of their personal information is without their consent, and violates the Electronic Communications Privacy Act, the California Invasion of Privacy Act, and the California Computer Crime Law.

TIP: Obtain "opt-in" consent from consumers prior to monitoring their online activities for marketing purposes, and make sure you are aware whether you are using technologies like DPI that may gather this information.

[Top]

III. COMMUNICATIONS PRIVACY

A. FTC Announces Do-Not-Call Settlements

The FTC has settled two do-not-call cases with the timeshare providers Westgate Resorts, Ltd. (and related entities) and All in One Vacation Club, LLC (and related entities), with civil penalties from the two companies totaling $1.2 million. All in One Vacation Club obtained numbers from sweepstakes forms. The form did not prominently disclose that consumers would be called by telemarketers, instead the language appeared only in a small disclaimer on the back of the form. In the Westgate case, the defendants purchased numbers from an online lead-generator, brandarama.com, which obtained numbers through customers who participated in multiple online free or discount offers. When providing their numbers, consumers were not told that the numbers would be shared with Westgate, nor were they notified that telemarketers would call them (except in disclosures buried in the terms and conditions or privacy policy pages). Many of the numbers provided to both companies were registered with the federal Do-Not-Call registry. The FTC alleged that neither company had established a business relationship with consumers, since consumers did not reach out to them for information about their products or services prior to receiving a telemarketing call. There was also no express written agreement from consumers for the calls to be made. Absent either a pre-existing business relationship or express written permission, the calls were made in violation of the Telemarketing Sales Rule.

TIP: Entry into a sweepstakes or participation in a promotional offer likely does not amount to a pre-existing business relationship or express written permission. Absent these factors, calls cannot be made to individuals whose numbers are on the Do-Not-Call registry.

[Top]

B. MMA Revises Mobile Advertising Self-Regulatory Standards

The Mobile Marketing Association, a self-regulatory group that provides guidelines for its members—and others—in how to engage in responsible mobile advertising, updated its mobile advertising guidelines in January. The guidelines direct companies that engage in mobile advertising to have clear offer terms, indicate that other rates may apply for receiving text messages, and to have procedures first for obtaining consumer consents (opt-in) to receive mobile marketing messages, and second for consumers to opt-out of receiving such messages. Among the changes in the new version are clarifications in the "standard rates may apply" disclosure requirement, as well as clarifications on the guidelines for messages that contain advertising for alcohol and tobacco. These guidelines can be very helpful for companies, given the absence of specific direction in the TCPA and CAN-SPAM regarding how, procedurally, companies should follow the laws' requirements. Even though in some instances the MMA Guidelines may include more than what is legally required, it gives a good overview of what is becoming "industry standard."

TIP: Companies that engage in mobile advertising should familiarize themselves with the provisions of the MMA Guidelines, which may serve for regulators as an indication of what is the "industry standard."

[Top]

C. Online Social Network Accused of Deceptive E-mail Marketing

A class action lawsuit was filed against online social network Classmates.com for allegedly wrongfully inducing individuals to become paid members of the network through a deceptive e-mail marketing campaign. After a potential customer enrolled in a free trial, Classmates.com allegedly began sending enrollees e-mails, profile visit alerts, and guestbook signatures that falsely suggested that former classmates had been searching for the potential customer through the Classmates.com network. The plaintiffs indicate that they enrolled in a paid membership in reliance on these e-mails, only to find that no former classmates had attempted to contact them or view their profiles. The suit alleges that these e-mails constitute intentional misrepresentation, fraud, and violations of the California Business & Professions Code.

TIP: Take care when implementing an e-mail marketing campaign to ensure that the representations made in the e-mails are accurate and avoid implicitly overstating the potential benefit of the product or service.

[Top]

D. FCC Fines Carriers for Data Privacy Requirement Violations

On Feb. 24, 2008, the FTC issued an omnibus “Notice of Apparent Liability” against more than 600 telecommunications carriers that did not file certifications that they had a plan in place to protect customer call information, as required by federal law and FCC rules. As part of the notice, $13 million in fines were proposed. Carriers must, under FCC rules and a recent related order, have a plan to protect customer proprietary network information, which information includes phone numbers called by the customer as well as the frequency, duration, and timing of such calls. Carriers must submit an annual certification of the plan to the FCC. When more than 600 carriers failed to submit satisfactory evidence of their timely filing of the certifications, the FCC issued the NAL, which included a proposed $20,000 penalty for each of the carriers. The carriers have an opportunity to submit evidence that no penalty should be assessed or that a lesser amount is appropriate.

TIP: Telecoms should ensure that they have appropriate processes in place to protect call data as required by the FCC.

[Top]

IV. EMPLOYMENT AND WORKPLACE PRIVACY

A. No Damages for Employer's Failure to Comply With Drug Testing Law

An employee sued his former employer for wrongful termination after he was fired for failing a random drug test. The employer had informed the employee that he had the right to have his sample retested for confirmation but the employee argued that the employer violated Iowa law when it failed to notify the employee in writing by certified mail of his test results and his right to request a confirmatory test. The Iowa Supreme Court found that even though the employer ultimately sent written notice following the employee’s filing of the complaint, the employer nevertheless failed to substantially comply with Iowa drug testing law. However, because the employee ultimately submitted his sample for a confirmatory test and the confirmation test affirmed the original result, the court found that the worker was not entitled to damages, despite the employer's failure to comply with the notification law. Nevertheless, the employer was ordered to pay the employee's attorney's fees and costs because the court found that the lawsuit was a direct result of the company's failure to comply with the plain language of the law.

TIP: Take care when administering random drug tests. State laws vary with respect to employee's rights, and it is important to adhere to state testing and notification requirements.

[Top]

B. Employees' Access to Company Data Found Actionable

The U.S. District Court for the District of Nebraska recently held that employees are liable under the Computer Fraud and Abuse Act if they access company email and computer files for purposes that are contrary to the employer's interests. The defendants were former employees of Ervin & Smith Advertising and Public Relations. Before resigning from their positions to start a competing agency, the defendants emailed a number of documents to their home computers including confidential, trade secret, and copyrighted materials. The defendants contended that because they were employees at the time they accessed the agency's computers, they had authorization and therefore did not act “without authorization” or in excess of “authorized access as is required by the statute to establish a violation of the Computer Fraud and Abuse Act.” The court found that while the employees had been previously authorized to use their employer’s computers, that authorization was revoked when they accessed the computers for their own personal gain and against the interests of their employer.

TIP: Employees should take care not to access employers’ computers and electronic files for purposes that are against the interests of their employers. Employers, be aware that the CFAA can serve as a tool when employees have improperly accessed companies' computer systems.

[Top]

C. Ninth Circuit Denies Rehearing on Employee Text Message Case

A California police officer sued his employer, the City of Ontario, Calif., after the city monitored his text messages on a department-issued pager without the officer’s consent. The Ninth Circuit previously ruled that the city’s search violated the officer’s federal and state constitutional privacy rights because the officer had a reasonable expectation of privacy based on the city’s “informal policy” of never auditing employee text messages. Additionally, the Ninth Circuit previously held that there existed a less intrusive means for the city to monitor such messages. The city petitioned for a rehearing, which was denied.

TIP: Companies should have clear policies that notify their employees whether they will monitor text messages or other communications on company-issued communication devices.

[Top]

D. Losses After Employee Data Misuse Sufficient for Civil CFAA Claims

An Illinois court recently found that a major U.S. electronics company had established a cause of action under the Computer Fraud and Abuse Act. In the case, the company argued that a group of former employees accessed proprietary information, without authorization, for use by a competitor. The defendants filed a motion to dismiss arguing that the statute required an allege action of damages, as well as loss. The court rejected this argument, as well as the defendants' argument that they were authorized to access the company's computer systems. In so noting, the court pointed to the fact that the employees had specifically accessed proprietary information for the purpose of sharing it with a competitor and such conduct exceeded authorized access.

TIP: In many circumstances the CFAA can serve as a tool for companies in pursuing employees who may have misused their computerized data.

[Top]

E. Worker Files Class Action Against Starbucks For Employee Data Breach

A Starbucks employee filed a class action suit against the coffee giant alleging negligence and breach of contract based on the company’s loss of a laptop containing the personal data of approximately 97,000 U.S. Starbucks employees. The complaint alleges that Starbucks negligently failed to implement appropriate data security practices, even though it lost another laptop in 2006 which contained the names and social security numbers of approximately 60,000 current and former employees and the company’s written policies specifically prohibit storing employee personal information on mobile devices. Further, the complaint alleges that Starbucks failed to live up to its promises to protect its employees’ personal information made on its Web site and in various internal policies that it will maintain appropriate security to prevent any loss of personal information. The complaint also alleges that Starbucks’ offer to provide a year of free credit monitoring to all affected employees is an inadequate remedy, since one year of monitoring is insufficient to protect the employees from identity theft and the program has a $250 deductible in its provisions governing identity theft.

TIP: Companies announcing data breaches should keep in mind that impacted individuals may resort to filing class action suits.

[Top]

F. Polygraphs of Employees Impermissible in Virginia

The District Court in the Eastern District of Virginia recently ruled that the arbitration provision in an employment contract did not bar an employee from bringing a cause of action against CB Squared Services Inc, his employer, for violation of the Employment Polygraph Protection Act. The court found that the EPPA prohibits the waiver of an employee's right to bring a claim for an alleged violation and therefore the arbitration agreement was ineffectual. The EPPA prohibits most employers from 1) requiring or requesting a current or prospective employee to take or submit to a polygraph examination or 2) terminating employment based on the results of the employee's polygraph exam. Polygraph examinations are permitted only under limited circumstances and must be conducted according to statutory procedure, even where the exams are allowed.

TIP: Requiring or requesting an employee take a polygraph exam is generally prohibited by federal law, with certain exceptions. If you have access to an employee's polygraph examination results, it is generally prohibited by federal law to use such results to terminate employment or discipline an employee.

[Top]

V. DATA SECURITY AND BREACH

A. Massachusetts Delays Encryption Requirement

As we reported in October, Massachusetts recently amended its data protection law to require companies to both encrypt data when sending it electronically and to put in place a written data security program. The rules were to become effective January 1. That date was pushed back to May 1, and now is being delayed again, until Jan. 1, 2010. The delay was put into place after public hearings where affected companies indicated that compliance would not be possible by May 1.

TIP: Those who store driver's license numbers, social security numbers, or financial information about individuals in Massachusetts should take the extra time granted under this extension to familiarize themselves with the new security requirements that will go into place in January.

[Top]

B. New Jersey Revises Computer Security Rules

Under New Jersey's Identity Theft Prevention Act, companies are required to notify individuals in the event of a data breach, must securely destroy certain types of data, and are limited in use of social security numbers. Under the Act, the New Jersey Consumer Affairs Division issued Rules in 2007 establishing security requirements for computer systems that contained personal information. Those rules have now been revised, and under the proposed rules, businesses must have a written information security program that they keep on file and make available to the division. The program must be designed to ensure the security and confidentiality of information, protect against anticipated threats, and provide for a secure record destruction program and the review of service provider agreements, among other components.

TIP: Companies that maintain computerized files of information that include New Jersey residents' name and social security numbers, driver's license numbers, or account numbers (such as bank or credit account numbers) should review the proposed rules and determine if they have written procedures in place that would conform to the new rules.

[Top]

C. Federal Agency Issues Guidelines on Data Security for Cell Phones, PDAs

The National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Department of Commerce, recently issued new security guidelines to businesses and other federal agencies to address data security and privacy issues associated with mobile devices used by their employees. The NIST guidelines recommend that organizations implement security policies for mobile devices and conduct risk assessments and security training for workers and managers. The guidelines include specific steps that organizations can take to mitigate the risk of mobile device usage, including: (i) eliminating of disabling unnecessary applications downloaded onto mobile devices; (ii) implementing user authentication and access controls, such as strong passwords; (iii) restricting use of cameras, microphones, and removable storage media; (iv) enabling the ability to remotely erase or lock access to data stored on mobile devices; (v) using content encryption for certain data; and (vi) installing firewall, antivirus, intrusion detection, and anti-spam software.

TIP: While not binding requirements, the NIST guidelines are helpful for companies whose workers use mobile devices.

[Top]

VI. HEALTH PRIVACY AND SECURITY

A. Stimulus Bill Contains New Benchmarks For HIPAA Compliance

The Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of The American Economic Recovery and Reinvestment Act of 2009, contains provisions that are likely to create new benchmarks for HIPAA compliance. For example, the Secretary of HHS is required to issue annual guidance regarding the most "appropriate" and "effective" technical safeguards to protect medical data, which may well become new benchmarks for HIPAA compliance. And the HITECH Act also includes a federal data breach notification standard that is more rigorous than most state laws, requiring a HIPAA "covered entity," "business associate," or a health care vendor to notify consumers within 60 days of discovery of the breach as well as inform the media in a particular state if the breach involves more than 500 residents of that state. Moreover, "business associates" will be directly subject to civil and criminal penalties for violations of HIPAA privacy and security requirements rather than simply enforcement under the contract with the HIPAA "covered entity."

TIP: Review existing HIPAA contracts and compliance procedures to make sure they are consistent with the new HITECH Act provisions governing HIPAA compliance and penalties.

[Top]

B. State Attorneys General Now Authorized to Enforce HIPAA AND HITECH Act

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), the state attorneys general, on behalf of the residents of their states, now have authority to enjoin and seek damages for violations of both HIPAA and the HITECH Act. This is new, unprecedented authority for the state attorneys general in the HIPAA and federal health care regulatory area. Depending on how state resources are deployed, this may result in additional HIPAA and other federal health care violations being brought at the state level along with state heath care privacy claims. Although not expressly stated in the new law, it is presumed that the state attorneys general will be able to hire private counsel on behalf of the state as they have done in other consumer-related cases which further could expand state enforcement and damages cases under HIPAA and the HITECH Act.

TIP: Be aware that state attorneys general now have litigation authority in HIPAA and HITECH Act matters and make sure your privacy policies are consistent with both federal and state laws and regulations.

[Top]

C. Drug Store Chain Settles HIPAA Violations Along With FTC Charges

CVS, the nation's largest prescription provider, settled HHS Office for Civil Rights (OCR) claims that the drug store chain violated the HIPAA privacy rule due to a lack of data disposal security procedures. The drug store chain paid $2.25 million to resolve the claims and entered into a resolution agreement with HHS, which is reserved for investigations with more serious outcomes when OCR has been unable to reach a satisfactory outcome through compliance or corrective action. The HHS OCR settlement was related to an FTC settlement regarding CVS's alleged failure to take appropriate security measures to safeguard consumer and employee health and financial information.

TIP: Make sure that data security and privacy measures comply not only with HIPAA and applicable state health care privacy laws, but also any relevant FTC regulations.

[Top]

VII. FINANCIAL PRIVACY

A. Zazzle OK'd to Print Expiration Dates on Online Receipts

An individual sued online retailer Zazzle when the company displayed credit card expiration dates on its on-screen payment confirmation pages. The plaintiff argued that Zazzle’s practices violated the Fair and Accurate Credit Transactions Act’s (FACT) requirement that a retailer shall print no more than the last 5 digits of a customers credit number or the expiration date upon any receipt. The U.S. District Court for the Southern District of Florida found that FACT Act’s restriction on "printing" credit card information on receipts was not intended to cover payment confirmations displayed on-screen after an Internet purchase. The court reasoned that if Congress had intended the FACT Act’s prohibitions to extend to email transmissions, the plain language of the statute would have reflected such an intention. However, the court did note that in some cases, courts have disagreed and held that on-screen confirmation were "printed" and therefore covered by the FACT Act.

TIP: Because various courts have disagreed on the issue, online retailers should exercise caution when displaying credit card information, including expiration dates, on their on-screen receipts following online sales. An online merchant should consider removing expiration dates from online receipts until the matter is uniformly settled.

[Top]

B. Financial Institutions Found to Have No Duty to Identity Theft Victims

Two individuals who voluntarily submitted their personal identifiable information to riverbellcasino.com to download online gambling software were the subject of identity theft, allegedly because spyware embedded on the Web site caused third parties to obtain their personally identifiable information. More than $600,000 of unauthorized charges were made. The individuals sued their credit card companies, alleging that the companies breach implied promises to protect them against fraud, and for failing to notify them or reversing suspicious charges. The federal court in Pennsylvania dismissed all of the claims, finding that an implied-in-fact contract cannot be found when the parties had an express customer agreement dealing with the same subject matter.

TIP: Companies should consider whether the terms in their customer agreement clearly describe and summarize their policies, procedures, and responsibilities for identity theft victims.

[Top]

C. California Court Finds Zip Code Is Not "Personal Information"

California’s Song-Beverly Credit Card Act prohibits retailers from requesting or requiring, as a condition of accepting a credit card payment, "personal identification information" of a cardholder that does not appear on the credit card itself. However, the statute does not define "personal identification information," and that issue has been frequently questioned by those trying to adhere to the law's requirements. In a class action against Party City, a California court of appeals interpreted the extent to which certain information would be considered "personal identification information," ruling that zip codes are not considered personally identifiable data. In reaching its decision, the court stated that unlike addresses and telephone numbers, zip codes were "group identifiers," shared by several thousands of people. In addition, the court noted as persuasive the fact that Party City did not require the zip code to process credit card transactions, did not link the zip code to other customer data, encrypted the zip code information, did not maintain a database of customer zip code information, and did not share that information with third parties. In making its decision, the court also took into account the legislative history of the statute and the fact that the statute had significant civil penalties, which supported construing it in favor of retailers.

TIP: The various states individually limit the type of information that may be obtained in certain financial transactions. Accordingly, a retailer and others who collect personally identifiable information should establish policies, procedures, and internal controls to ensure compliance with financial privacy laws in each state in which it conducts business.

[Top]

D. FTC Settles with Mortgage Lender Regarding Data Security Breach

The FTC recently settled with Premier Capital Lending, Inc. (PCL), a mortgage lender which the FTC alleged had engaged in a number of practices that failed to securely protect consumer's personal information, including: failing to 1) assess the risks of allowing third parties' to access consumer information through the PCL account; 2) implement risk management practices, such as ensuring third-party access to consumer information was secured; 3) monitor third-party access for signs of unauthorized activity; and 4) assess the full scope of consumer information stored and accessible and therefore able to be compromised by unauthorized activity. The FTC further alleged that PCL's practices violated the safeguards rule under the Gramm-Leach Bliley Act by failing to identify data security risks and failing to design and implement safeguards to minimize risk of breach. The FTC also alleged that PCL misrepresented that it had implemented reasonable and appropriate measures to protect consumer personal information. Under the settlement agreement, PCL agreed to identify internal and external risks to the security and confidentiality of consumer personal information, design and implement safeguards to control identified risks, develop and use reasonable steps to ensure that service providers it uses to transmit personal information also maintain appropriate safeguards, and properly document PCL's redesigned security program.

TIP: Entities engaged in activities that are financial in nature are required to implement risk-based data and information security programs that are designed to protect personally identifiable financial information based on the size and business operations of the entity. In addition, the data and information security programs must be subjected to independent testing at least on an annual basis. Moreover, each entity that uses third-party service providers must have in place written agreements regarding data and information security that outlines the duties and responsibilities of each party and establishes that the service provider maintains its own data and information security program that, at a minimum, meets the requirements of the entity.

[Top]

If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:

Attorney Advertising Materials

These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.

Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).

Copyright © 2009. Winston & Strawn LLP.