Tsibouris Privacy + Technology Law Blog

Facebook Photos - Deleted or not?

2012-02-07T07:43:00.003-05:00

We frequently draft or revise client data protection policies. As we work with them to design and implement such policies, we emphasize the importance of the minimization of personal data, including the deletion of personal data when it is no longer needed. This is particularly of interest when our clients store employee or customer personal data at a vendor or in the cloud.

On Monday, Ars Technica highlighted the challenges of deleting personal data in this article. In the article, the author notes that photos requested to be deleted three years ago are still available.

European Commission Releases Proposed Revisions to the EU Data Protection Directive

2012-01-25T18:00:00.004-05:00

by Mehmet Munur

The European Commission announced the proposed revisions to the EU Data Protection Directive today. The widely expected revisions will create uniformity by using a regulation instead of a directive, remove obligations to notify data protection authorities of data processing activities, require data breach notification, increase fines (up to %2 of a company’s global annual turnover), streamline access, introduce a right to be forgotten, expand Binding Corporate Rules to processors, and strengthen the Data Protection Authorities. The Article 29 Working Party also issued a press release supporting the new Regulation.

The proposed regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) creates a number of changes based on the Data Protection Directive. While some of the provisions, such as the fines and the right to be forgotten, may prove controversial, other provisions relating to removal of the obligation to notify DPAs will likely be celebrated. The Regulation uses some of the same terms as those defined in the Directive 95/46/EC; however, it also introduces new definitions for terms such as personal data breach, genetic data, biometric data, binding corporate rules, and others. The Regulation also clarifies transparency principle, data minimization principle, and the obligation to obtain consent for processing of personal data. The Regulation also introduces more detailed access rights for individuals adding new elements relating to storage periods of personal information, right of rectification and erasure, data portability, and complaint resolution. While these protections are likely to bolster the individual’s control over the personal information held by data controllers and processors, it will likely create additional burdens on data controllers and processors to enable the data subjects to exercise these rights.

The Regulation also introduces new obligations on the data controller and data processors. The Regulation will require privacy by design and default, explicitly introduce the principle of accountability, and clarify the responsibilities of joint controllers. The Regulation states that the data processor may be considered a joint data controller in the event it goes beyond the scope of data controller’s instructions. This particular provision appears to be a result of the concerns the Article 29 Working Party had over processors such as SWIFT. The Regulation will also explicitly require the cooperation of both the data controller and the data processor with the Data Protection Authorities. The security obligations of the data controller include the obligation to notify the data subject of the breach of personal data. Currently, that proposal includes a “where feasible, not later than 24 hours after having become aware” provision. This provision is likely to be revised before the Regulation becomes law to a more reasonable time frame.

The Regulation makes the Data Protection Officer mandatory for the public sector, where processing is carried out by more than 250 people, and where the core activities of the controller or the processor consist of operations that require systemic monitoring of data subjects. German Data Protection law provided such detailed requirements for the Data Protection Officer. Previously, the creation of such a position decreased the administrative burden on the data controllers and their obligation to notify the Data Protection Authorities with the processing of personal information. This approach is likely to continue with the new Regulation.

The Regulation also includes further details regarding international data transfers. It specifically mentions Binding Corporate Rules. These rules now specifically refer to a data processor’s, as well as a data controller’s, ability to obtain authorization for Binding Corporate Rules. This provision should allow service providers to obtain authorizations for BCRs and transfer personal information internationally without having to rely on Standard Contractual Clauses. However, the time and resources required to obtain authorizations for these BCRs may still be substantial. Considering that the Regulation may take some time, as long as a couple of years, to become law, we may not find out about this process for a while. Finally, the Regulation creates the European Data Protection Board that replaces the Article 29 Working Party. This Board is to ensure the consistent application of the Regulation, review guidelines, recommendations and best practices, and issue opinions, among other responsibilities.

The Regulation comes with both advantages and disadvantages compared to the current regime in place in the EU. On the one hand, the Regulation will likely foster a more uniform approach to data protection in the EU. Once the Regulation becomes law, member states will not be required to transpose it into national law. This will reduce the local differences in the substance of the law. However, the Regulation still provides for independent Data Protection Authorities. These DPAs will ultimately have different interpretations of the Regulation and as it interacts with local law and culture. However, the European Data Protection Board will hopefully have the effect of creating more uniformity. Many will likely celebrate the end of the notification of DPAs regarding the processing of personal information. These registers of personal information were mostly automated, reviewed by few, yet required the time and resources of many corporations. Their departure will allow the DPAs and the corporations to work on more substantive privacy and data protection issues. Assuming that the BCR process is further streamlined, then we can see more companies and services providers getting in line to obtain authorizations. On the other hand, the right to be forgotten, the increased fines, and the restrictions on the legal basis for processing of personal information will likely draw criticism. Hopefully, in the coming years, the Regulation will be revised to better balance some of the obligations on data controllers.

Proposed EU Privacy Rules Concern Businesses

2012-01-23T10:29:00.002-05:00

A proposed change to EU privacy law is going to be released this week, proposing a single regulator and increased penalties. It would also include 24 hour data breach disclosure. We will discuss this more once they are released.

Binding Corporate Rules and the Proposed EU Data Protection Regulation

2011-12-23T16:20:00.006-05:00

by Mehmet Munur

The proposed revisions to the EU Data Protection Directive with a regulation sometime next year is likely to result in multitude of changes for privacy regulation in the EU and around the world and may make the use of Binding Corporate Rules more attractive for midsize companies and data processors. While 2011 was the year of Privacy by Design, 2012 may end up being the year of the BCRs if this proposed regulation becomes law.

The revision to the EU Data Protection Directive is likely to be a regulation instead of a directive, which may result in more uniform data protection laws across the EU. Nevertheless, EU data protection law is based on local employment and labor law to a certain extent. Therefore, there is bound to be some variation in implementation and the differences in culture and enforcement are likely to continue. While there will be many exciting and controversial changes to the Directive, from enormous fines to right to oblivion, BCRs have already taken center stage. (You may read more about the proposed revisions to the EU Data Protection Directive titled “Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” here.)

The original BCR system was overly bureaucratic and costly. When the BCR system first started, the applicant would have to seek authorization from each Data Protection Authority In the EU. Considering all of the language and cultural barriers to reviewing a set of rules, this process was mired with reviews and re-reviews until every DPA’s requirements were met. In fact, Peter Fleischer called BCRs data protection for the rich. Then the system was more streamlined with 5-7 DPA reviews with a single DPA acting as the lead. This shrank the time in obtaining from years to around 9 months. However, the process is still expensive and cumbersome. That may not be the case with the revisions to the Directive.

During her keynote address for the IAPP Europe Data Protection Congress, European Commissioner Viviane Reding shared her plans to make binding corporate rules even more effective with simplicity, consistent enforcement, and innovation. She pointed to the bureaucratic nature of the BCR approval stating:

I see this legal fragmentation as a costly administrative burden. It wastes time and money. It is detrimental to the credibility and efficiency of data protection authorities and data protection tools.

I intend to propose a consistent and streamlined approval process with a single point of contact for companies amongst the data protection authorities. And, once the binding corporate rules are approved by one data protection authority, I want them to be recognised by all European data protection authorities. And there should be no need for additional national authorisation in case of further transfers.

Though some DPAs have disagreed with this approach, others have already started pushing for companies to start preparing for these BCRs. Considering that the BCRs are likely to be broad enough to apply to processors as well as data controllers, using BCRs for inter-company as well as intra-company transfers may become a reality in the near future.

Therefore, if they are simplified and expanded to processors, 2012 may indeed be the year of the Binding Corporate Rules. Instead of relying solely on Standard Contractual Clauses, midsize companies can obtain authorization using one DPA for all of their intra-company data flows. Furthermore, they may also be able to obtain BCR authorization as safe processors. This should enable cloud service providers to provide cloud services to other companies using their BCRs. Using the older BCR system, companies were only able to obtain BCR authorization applying to data for which they were the data controllers. With this new system, BCRs for data processors should also be possible. As a result, BCRs should become a true option for midsize companies and processors of all kinds--and quite likely a favored option for cloud service providers.

You may read about some of the BCRs that have already been approved by the EU DPAs below. Note, however, that it is the underlying processes and policies that support the BCRs that are difficult to prove and implement. Nevertheless, these BCRs should prove useful in finding out what the DPAs are looking for in these policies.

Daimler Benz

Deutsche Telekom (http://www.telekom.com/static/-/15714/1/code-of-conduct-si)

Philips (2)

Aside from these companies, the following companies have obtained authorization for BCRs:

Accenture

Atmel Corporation

Bank Austria Creditanstalt

Bristol Myers Squibb

Cargill

CareFusion Incorporated

Deutsche Post DHL
First Data

Hyatt Hotel Corporation

International SOS

IMS Health Incorporated

JPMorgan Chase

Novo Nordisk

Safran

Schering

Their policies may also be available publicly. We hope to have this list updated with the appropriate links in the near future.

FTC Announces Enforcement Action Against Facebook

2011-11-29T15:12:00.002-05:00

by Mehmet Munur

Recent reports about the FTC and Facebook nearing a settlement were true because today the FTC announced that it had entered into a proposed settlement with Facebook for Facebook's failure to keep its users' information on Facebook private and repeatedly allowing users' information to be shared and made public.The proposed settlement bars Facebook from making misrepresentations about its privacy and security practices, requires it to obtain affirmative express consent before enacting changes that override privacy preferences, as well as the usual FTC enforcement requirements regarding a privacy program and a 20-year duration. The 8 count complaint includes violation of the U.S. Department of Commerce EU Safe Harbor Framework, marking the second substantive enforcement action of the FTC after the Google Buzz enforcement action. The enforcement action reinforces (1) previous FTC enforcement actions relating to aligning privacy policies and practices, (2) the importance of using screenshots for attorneys working on technology and privacy projects, and (3) the viability of the Safe Harbor as a method of transfer for personal information from the EU.

The first count of the FTC complaint relates to the deceptive privacy settings for Facebook. There, the FTC alleges that users' profile privacy settings relating "Only Friends" or "Friends of Friends" were accessible through Facebook's Platform Application. While this sharing exceed the scope of only friends and friends of friends, it was not effectively disclosed to the users, resulting in a false or misleading representation.

The second and third counts in the FTC complaint relate to Facebook's 2009 changes to its privacy policy. As a result of Facebook's changes to its privacy practices in November 19, 2009, users prior choices regarding their publicly available information was overridden. As a result, users' friends list was available to everyone and users became visible in Facebook searches. When Facebook changed these settings back using a privacy wizard, FTC alleged that it left out material facts regarding changes to overriding users' previous privacy settings. Facebook's failure to clearly state make the effects of these changes to the users constituted a deceptive act. Facebook's application of these privacy settings to the user's previously collected information without countervailing benefits to the consumer constituted unfair act under the FTC Act.

This third count is important and requires some more discussion. The FTC has maintained for some time, at least since the Toysmart enforcement action, that material retrospective changes to privacy policies without the express consent of the users constitute unfair trade practices. Now, the FTC further elaborates on the point and states that the users must not only provide affirmative consent, but that the consent must be properly informed. The Article 29 Working Party made a similar point in its recent guidance regarding the definition of
consent in WP187. Even though Facebook used a privacy wizard to enable users to change their privacy settings, the disclosure of information was not adequate. In other words, the FTC's unfairness claim against Facebook brings together the Toysmart enforcement action and the Sears enforcement action.

The fourth count in the FTC complaint relates to the amount of access Facebook provides to its Platform Applications. The FTC argued that Facebook had stated in various locations that the Platform Applications needed access to the users' profile information that was required for the applications to work. In fact, he FTC alleged, the applications received more information than they were required to work, such as the users' relationship status, photos, and videos. In effect, the FTC argues here that Facebook's statements and processes failed the Data Integrity Principle of the Safe Harbor, without necessarily stating it. This principle is also explained in Article 6(C) of the EU Data Protection Directive stating that personal data must be "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed" In simplest terms, Facebook's statements regarding its actions its actions did not entirely line up with its statements.

The fifth count of the FTC complaint relates to Facebook's sharing of information with advertisers, despite its statements to the contrary. The sixth count of the FTC complaint relates to Facebook's Verified Apps program. There, Facebook made statements that its Verified Apps were "secure, respectful and transparent" and that these apps had passed Facebook's review. In fact, Facebook had taken no steps to verify the security of these applications, which turned out to be a false and misleading representation. The seventh count related to Facebook's failure to prevent access to deactivated accounts. FTC alleges that Facebook allowed others to access users' photos, videos, and other Facebook content after the accounts were deactivated. These actions, once again, constituted false or misleading statements.

The eighth and final count of the FTC complaint alleges violations of the EU Safe Harbor, which Facebook joined in 2007. This enforcement action against Facebook also happens to be the second substantive Safe Harbor enforcement action and the fourth overall. The FTC's first substantive enforcement action was against Google over the roll out of Google Buzz. Here, Facebook's failure to obtain the affirmative informed consent of its users for the changes in its privacy practices and its failure to clearly state the purposes and means of processing of the information it collects resulted in the violations of the Notice and Choice Principles of the Safe Harbor.

As a result of the enforcement action, Facebook entered into a proposed consent order. The consent order, among other things, (1) prohibits Facebook from making misrepresentations about its privacy or security practices, (2) requires it to obtain express and informed consent for changes that materially exceed restrictions placed by users, (3) requires it to establish a comprehensive privacy program, (4) requires it to obtain biennial third party assessments of its practices, (5) requires it to retain appropriate records, and (6) terminates in 20 years.

The FTC's enforcement action against Facebook is important for several reasons. First, it affects half a billion people around the globe and provides them with fundamental privacy protections under the watchful eye of the FTC. Second, it expounds on privacy principles previously articulated by the FTC in new ways and shows the importance of clear and unambiguous privacy policies and practices. Note that Facebook used a privacy wizard in order allow its users to change their privacy practices but its statements were still deceptive and unfair. As a result, the enforcement action once again highlights the importance of brief and accurate privacy statements, which was the lesson that the FTC was attempting to teach in the Sears enforcement action.

Third, the enforcement action demonstrates the importance of screenshots. FTC's hiring of its first full time technologist has led to some changes. The FTC is now using screenshots more than ever in its complaints. The Facebook complaint is the first complaint (that I am aware of) where the screenshots were in the body of the complaint instead of the exhibits, which is where the Google Buzz screenshots were located. Now, however, the screenshots take center stage in the many of the counts of the FTC complaint. This makes perfect sense as the web takes place on the screen, whether on a desktop, laptop, phone, tablet or TV. This may seem like a minor difference, however, it marks an important shift. The regulators and litigators are increasingly looking at the presentation of companies practices as well as the words in their privacy statements. Therefore, any implementation of a product or service that requires interaction on an electronic device requires that attorneys, as well as the programmers, closely examine work product using screenshots. Though this point is abundantly clear to many technology and privacy attorneys before, the Facebook FTC enforcement action should make it clear to all attorneys. Reviewing screenshots of any product or service is crucial for the successful implementation of any project and is mandatory for the defense of any claim relating to privacy or technology.

Finally, the increasing number of EU Safe Harbor enforcement actions by the FTC shows that the promises of the Enforcement Principle of the Safe Harbor are not hollow. EU Data Protection Authorities continue to point to the Binding Corporate Rules as the preferred method of transfer of personal information to countries with inadequate protections under the EU Data Protection Directive. However, the BCRs are beyond the reach of many companies due to their extensive time and resource requirements. Until the EU Data Protection Directive is amended to allow even a more streamlined BCR process, the Safe Harbor will remain the main choice of U.S. companies (under FTC and DoT jurisdiction) wishing to transfer personal information from the EU.

FTC Announces Enforcement Actions Against Social Network and Online Advertiser

2011-11-08T21:02:00.004-05:00

by Mehmet Munur

The Federal Trade Commission announced an enforcement action against Skid-e-kids and a separate enforcement action against online advertiser ScanScout. The enforcement action against ScanScout involved the violations of Section 5 and the use of Flash cookies without disclosing their use in its privacy policy. The enforcement action against Skid-e-kids involved violations of COPPA and the failure to obtain parental consent. Once again, these enforcement actions highlight the importance of drafting accurate privacy policies and following through on those promises.

The enforcement action against Skid-e-kids resembles the enforcement action against W3 Innovations, LLC due to its mobile application failing to pass muster under COPPA. According to the Skid-e-kids FTC complaint, Skid-e-kids promoted itself as “Facebook and Myspace for kids” and permitted kids to register and create accounts, create public posts, upload posts, among other things. The registration process collected birth date, gender, username, password, and email address from the registrants. However, children were not required to provide parents’ email address to obtain consent. At the same time, Skid-e-kids’ privacy policy stated that it would require email addresses of parents that would be used to obtain consent and to notify them about Skid-e-kids’ privacy policy. In practice, Skid-e-kids never collected the email addresses of the parents, never contacted them to notify them of its privacy practices, and never obtained consent from the parents. As a result, the FTC alleges violations of COPPA and FTC Act.

The resulting consent order requires Skid-e-kids to refrain from violating COPPA, delete the personal information from the children, and place a notice on its website with links to the On Guard Online website. In addition, the FTC imposed a civil penalty of $100,000 but suspended all but a $1,000 of this penalty. The consent order requires Skid-e-kids to retain a privacy professional with COPPA experience to conduct assessments, retain records, and report its compliance with the consent order to the FTC.

The enforcement action against ScanScout, on the other hand, resembles the enforcement action against Chitika. According to the FTC ‘s ScanScout complaint, ScanScout acts as a intermediary between websites and advertisers and publishes advertising space on videos. ScanScout decides which video advertising should be delivered to which user. Unlike the Chitika enforcement action that used HTTP cookies, ScanScout used Flash Cookies from April 2007 to September 2009. At that time, deletion of browser’s HTTP cookies did not result in the deletion of Flash cookies—though since then Adobe and the major browsers have finalized APIs that result in the deletion of Flash cookies by the deletion of HTTP cookies. However, at the same time, ScanScout’s Privacy Policy stated that a user could opt out receiving a cookie by changing their browser settings. In practice, however, the users could not opt out receiving these cookies, and therefore, could not stop the tracking by ScanScout.

The resulting agreement and consent order requires ScanScout to provide a clear and prominent method to enable users to opt out of having their data that can be associated with a particular user collected by ScanScout. This opt-out must last at least 5 years and ScanScout must display links in the advertisements it serves for this opt-out mechanism. The agreement and consent order also comes with other compliance and reporting obligations and lasts for 20 years.

Together, these two enforcement actions, once again, highlight the importance of having accurate privacy policies in place. These two companies came under the FTC’s radar not just due to their actions, but also due to the statements regarding their privacy policies. ScanScout’s privacy policy had not been updated to show that it was using Flash cookies in order to track users. There was also a clear mismatch between what Skid-e-kids’s privacy policy stated and what it did in practice. Attorneys may draft the most intricate privacy policies; however, without processes to ensure that those policies are in place in operations, most businesses are open to FTC enforcement actions or lawsuit by their users. As a result, drafting and implementation of privacy policies must include not just the legal department, but all departments involved in the execution of actions outline in the privacy policy.

Consumer Financial Protection Bureau Issues Supervision Manual 1.0

2011-10-18T09:06:00.003-04:00

We represent a number of financial service providers, so it is important to understand the laws that govern them. However, it is also important to understand how their regulators view the law as well. The Consumer Financial Protection Bureau just released its supervision manual which is a very useful tool to help guide the creation and delivery of financial services online:

Federal government regulators usually have manuals for their examiners. Our manual provides our examiners with direction on how to determine if providers of consumer financial services are complying with consumer protection laws - and how to determine if the providers have adequate policies and procedures in place to comply with those laws.

The manual is located here.

ISSA Social Media Summit

2011-10-11T12:07:00.001-04:00

Dino and I will be presenting at the ISSA Social Media Summit that will be held on October 19, 2011 from 11am to 4pm at the J. Liu restaurant in Worthington following the regular ISSA chapter meeting. Dino will be part of a lunch panel wh Brent Huston from MicroSolved, Inc., Kevin Shea from JP Morgan Chase, Ray Vazquez from Infinitive, and Brian Mannion from Nationwide. Dino and I will join Justin Root from Porter Wright on the Social Media and Legal Risk panel presentation following this lunch panel. Brian Mannion and Kevin Shea will follow with an in-house perspective on Social Media after our presentation. Brent Huston from MicroSolved will close with the security issues affecting Social Media. You may find out more information and register for the summit here.

Effective Privacy and Security Compliance Requires an Understanding of Data Flows within the Company

2011-10-04T17:57:00.003-04:00

We were recently interviewed by Nymity regarding understanding an organization's data flows. We focused on data flow mapping and how companies can build and use these maps for effective privacy and security compliance. We also discussed recent privacy enforcement actions in relation to data flows and the importance of understanding local laws and regulations. You may read the interview titled "Effective Privacy and Security Compliance Requires an Understanding of Data Flows within the Company" here.

FTC Announces Second Mobile Application Settlement

2011-09-08T17:49:00.001-04:00

by Mehmet Munur

The FTC announced an enforcement action against the two marketers of mobile applications on Apple and Google mobile application stores that claimed, among other things, to cure acne by “resting the iPhone against your skin’s acne-prone areas for 2 minutes daily to improve skin health without prescription drugs.” This is the second enforcement action that the FTC brought against mobile application developers. The first mobile application enforcement action was for violations of COPPA.

According to the FTC complaint against AcneApp, the advertisement for the application contained statements that the application was an effective treatment for acne and that the representations relating to the application were false and misleading. The description of the application stated that it had been developed by a dermatologist and a British Journal of Dermatology study showed the effectiveness of the treatment. As a result, the FTC alleged that the marketer’s actions amounted unfair and deceptive trade practices under Section 5 of the FTC Act.

The accompanying agreement and consent order requires the marketers to pay $14,294 in fines to the FTC . It also prohibits the marketers from representing that the AcneApp provides effective treatment for Acne unless they have reliable scientific evidence substantiating that representation. The consent order also contains record keeping requirements relating to all advertisements and notification requirements. As is customary with FTC enforcement action, the order terminates in 20 years. However, it does not include any third party assessments, which is usual for enforcement actions relating to security breaches. The complaint and the agreement sand consent order for the second application (aptly titled Acme Pwner) marketer are similar in nature. However, the fines are limited to $1,700.

This enforcement action is the second enforcement action for the FTC in the mobile space. At the time of the first enforcement action, we proclaimed that the FTC would continue to be active in this area. This is yet another indication of the FTC’s willingness to bring enforcement actions in the mobile space. We expect the next enforcement action to be based on the privacy or security practices of a mobile application directed towards adults.

California Updates its Breach Notification Law

2011-09-06T08:57:00.004-04:00

Last week, California governor Jerry Brown signed into law SB 24 which updates California's existing data breach notification law (SB 1386) by adding new requirements for data breach notices sent to affected California residents. The bill was sponsored by State Senator Joe Simitian, whose office provided a fact sheet summarizing the bill's main points:

Establishes standard, core content -- such as the type of information breached, time of breach, and toll-free telephone numbers and addresses of the major credit reporting agencies -- for security breach notices in California;

Requires public agencies, businesses, and persons subject to California’s security breach notification law, if more than 500 California residents are affected by a single breach, to send an electronic copy of the breach notification to the Attorney General; and,

Requires public agencies, businesses and persons subject to California’s security breach notification law, if they are utilizing the substitute notice provisions in current law, to also provide that notification to the Office of Information Security or the Office of Privacy Protection, as applicable.

FTC Announces Settlement with Mobile App Developer

2011-08-15T17:21:00.001-04:00

by Mehmet Munur

The Federal Trade Commission announced a settlement with mobile application developer W3 Innovations, LLC for violations of the Children’s Online Privacy Protection Act (COPPA). According to the FTC complaint, the developer collected personal information from children under the age of 13 through its mobile applications without a privacy notice to the children, without a privacy notice to their parents, and without verifiable consent from the parents as required by the COPPA rules. The FTC settlement requires the developer to 1) cease all violations of COPPA, 2) delete all personal information collected in violation of COPPA, 3) pay a civil penalty of $50,000, and 4) subject itself to a compliance reporting program. Also today, the FTC announced a guide for teens for Living Life Online.

According to the FTC complaint, the developer offers for download approximately 40 applications in Apple’s App Store. Some of the applications, Emily's Girl World, Emily's Dress Up, Emily's Dress Up & Shop, and Emily's Runway High Fashion, are, as the exhibits to the FTC complaint show, directed to children. According to the complaint, Emily's Girl World application was downloaded 32,000 times while Emily’s Dress-up was downloaded 27,000 times. The applications allowed users to share names, email addresses, comments, and “blush” stories using the application or emails related to the application. The blog functionality was also accessible from within the applications. The developer maintained a database of over 30,000 email addresses as a result of the information collected from the apps. The developer failed to provide notice to the users, their parents, and failed to obtain verifiable consent from the parents before collecting the personal information from the users as required under the COPPA rules located at 16 C.F.R. § 312.4.

The resulting consent decree and order bars the developer from continuing violations of the COPPA rules, requires it to pay $50,000 in civil fines, and requires it to submit to a compliance monitoring program. The program requires the developer to allow the FTC to monitor compliance with the consent order by obtaining reports and documents from the developer. Under the order, the developer also takes on reporting obligations with respect to any changes in address, ownership, or name and other information such as bankruptcy filings. In addition, the developer has record keeping obligations relating to demonstrating its compliance with the consent decree and order for a period of 6 years.

This enforcement action is not entirely unexpected because the FTC has been signaling its interest in bringing an enforcement action in the mobile space for some time. Jessica Rich testified in front of Congress in May relating to mobile privacy issues. Most recently, BNA reported that, at the August 8^th American Bar Association Toronto meeting, the FTC Commissioner Julie Brill stated that the FTC would be bringing enforcement actions in the mobile space under its Section 5 authority.The selection of the FTC’s jurisdiction under COPPA makes perfect sense as well. Under the FTC’s COPPA regulations, the mere failure to post privacy notices and obtain verifiable consent from parents before collecting personal information is a violation of the regulations—without unfair and deceptive practices in relation to the treatment of that information. As a result, applications that target children under the age of 13 without posting notices and obtaining verifiable consent from parents make an efficient enforcement target for the FTC.

However, the monetary fines pale in comparison to the $3 million in fines assessed to Playdom Inc. in May 2011 for violations of COPPA. There, Playdom operated 20 online virtual worlds and collected personal information from children under the age of 13 without obtaining verifiable consent from parents and without providing parents with notice. The size of the fine in that enforcement action is likely proportional to the size of the users Playdom’s virtual worlds. According to the FTC, one Playdom website had 403,000 registered users while another had 821,000 registered users. Another egregious factor was that Playdom’s website privacy policy stated that it would prohibit children under the age of 13 from posting personal information on its websites—thought it clearly did not.

Taken together, these two enforcement actions show that the FTC will continue to be active in the mobile space with large consequences for developer. The number of users of mobile technologies is increasing tremendously. Congress has had to pay closer attention to this area because their constituents are becoming more concerned with these issues. It does not help that the treatment of personal information collected by mobile applications is rarely, if ever, disclosed through privacy policies. Add to this the missteps by Apple and Google with regards to their location tracking features and you end up with the perfect conditions for FTC to step in with enforcement actions based on well-established Section 5 authority. Considering that Pandora and other mobile application developers received subpoenas from a federal grand jury, this is unlikely to be the last enforcement action in the mobile arena.

FinCEN Releases Final Rules on Stored Value and Money Services Businesses

2011-07-26T21:09:00.003-04:00

By Mehmet Munur

The Financial Crimes Enforcement Network of the Department of Treasury released final regulations relating to money services businesses and stored value that amend Bank Secrecy Act regulations. The final regulations provide clarity, incorporate previous administrative rulings, and create exclusions from the definition of MSBs for activities that pose low risk for money laundering.

FinCEN’s final rules regarding MSBs is more of a clarification in nature than a broadening of the existing regulations. For example, the final rules specifically incorporate previous FinCEN rulings and guidance relating to exceptions to MSBs for payment processors, armored cars, and gift cards. The regulations also provide some clarification regarding agents, the meaning of “doing business,” and MSBs located outside of the US.

The final rules regarding stored value redefine that term as prepaid access. The regulations also retain a facts-and-circumstances test, but introduce helpful criteria that may help determine whether an entity is a provider or seller of prepaid access. In addition, FinCEN has chosen to create a $2,000 threshold for closed loop stored value that will be excluded from stored value programs. As a result, those excluded entities will not be subject to the AML program obligations that go along with stored value programs. Other exclusions to stored value programs relate to flexible spending and dependent care funds and payroll programs that do not (i) allow international transfers, (ii) transfers among users, and (iii) loading additional sources from non-depository sources.

As a result of the various comments by the industry and law enforcement, FinCEN has created a regulatory scheme that focuses on the risks of money laundering while leaving many of the schemes that are unlikely to result in money laundering risk unregulated.

Will your insurance actually cover losses from your cyber attack?

2011-07-23T09:01:00.007-04:00

Reuters reports that Zurich American Insurance Company is suing both its insured customer Sony and other of Sony's co-insurers to obtain a ruling that it does not have to pay claims by Sony for damages resulting from its recent cyberattack resulting in the loss of personal data from its PlayStation Network. The article summarizes the hack:

"In April, hackers accessed personal data for more than 100 million users of Sony's online video games. Sony has said it could not rule out that some 12.3 million credit card numbers had been obtained during the hacking."

The ruling may hinge on whether Sony simply obtained a general liability policy, which is unlikely to cover more than property damage, or if it obtained coverage against cyber risks - which is normally a supplemental form of coverage. Currently the White House is encouraging the growth of the cyberinsurance market as a way to encourage companies to obtain financial protection from loss and as an incentive to enhance their own systems as a consideration for underwriting.

Have you checked your policy to see if claims from cyberattacks are specifically covered? Your policy summary from your commercial underwriter may not show enough detail to know - you need to read the policy itself to be sure, including the exclusions, deductibles, and amounts.

Article 29 Working Party Publishes Opinion on the Definition of Consent

2011-07-15T12:05:00.004-04:00

By Mehmet Munur

On July 13, the Article 29 Working Party published an opinion on the definition of consent. The document expands on the Working Party’s previous definition of consent and now includes the following elements: indication, freely given, specific, unambiguous, explicit, and informed.

The document also includes recommendations for the upcoming review of the EU Data Protection Directive. Those recommendations relate to specifically defining unambiguous consent, as opposed to implicit consent; controls for data controllers; quality and accessibility of information forming the basis for consent; and other suggestions regarding minors. Similar to the Working Party’s definition of controllers, this new opinion contains example scenarios. These examples include everything from Bluetooth ads, to e-health records, to body scanners. You may find the opinion here.

Privacy Statements for Mobile Apps

2011-05-31T09:51:00.003-04:00

You have a privacy statement on your website - but what about your mobile sites? Here is a thought provoking article worth reading.

The existence of a written privacy policy is a minimum standard that all developers should adhere to, says FPF, and now the group has put together a website, applicationprivacy.org, meant to help developers create privacy policies and stick to them.

Obama Administration CyberSecurity Legislation Proposal and Related Privacy Bills in Congress

2011-05-27T13:33:00.002-04:00

by Mehmet Munur

The Obama Administration unveiled a proposal for a Cybersecurity legislation on May 12 that also includes a national standard for breach notification. The legislative proposal joins bills tackling federal breach notification and online privacy by Rockefeller, McCain and Kerry, Sterns and Matheson, Rush, and Speier.

Breach Notification Proposal

The Obama Administration's proposal includes a federal breach notification that applies to breaches of sensitive personal information with a harm trigger. Only entities using information relating to 10,000 individuals during any 12-month period are covered by the proposal.

The proposal defines a security breach as “a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in (A) the unauthorized acquisition of sensitive personally identifiable information; or (B) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.”

The proposal includes a wide variety of information that could be considered sensitive personal identifiable information, including combination of names, addresses, phone numbers, unique account numbers, social security numbers, and biometric information. The proposal also gives the Federal Trade Commission rulemaking ability to amend the definition of sensitive personal information.

The proposal requires business entities that use, access, transmit, store, dispose of or collect sensitive personally identifiable information about more than 10,000 individuals during any 12-month period to notify the individuals whose information was or is reasonably believed to be accessed. If this access does not result in reasonable risk of harm or fraud to the individual, then no notification is necessary. If the breach happens to occur with a licensee of the data, then that licensee must notify the owner of the data.

The proposal requires that notification be made without unreasonable delay, but no more than 60 days following the discovery of the breach. The proposal allows the FTC to delay the notification by 30 days, and also for law enforcement or national security purposes. The proposal also gives examination powers to the FTC for evidence of these notifications.

The proposal also includes a national security exemption and a risk assessment safe harbor. The national security exemption to notification would be invoked if the Secret Service or the FBI determine that notification would reveal sensitive sources or impede law enforcement investigations. The safe harbor would be invoked if an entity conducted a risk assessment that determined that data was rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted by experts in the field. In addition, the business entity must notify the FTC in writing of the risk assessment and its decision to invoke the safe harbor.

This safe harbor is certainly different from exemptions to notification built into state breach notification laws and HITECH. Some state breach notification laws exempt encrypted data from notification by defining encrypted data as an exemption to a breach. Under the administration’s proposal, assuming that encryption satisfies the “rendered unusable, unreadable, or indecipherable” standard, then the business entity would still have the obligation to notify the FTC of its risk assessment and its decision to invoke the safe harbor within 45 days. While a similar documentation obligation exists under HIPAA and HITECH regulations, there is no obligation to inform the HHS of the breach of “secured” information. Additionally, the HITECH legislation gave the HHS specific authority to define the technological aspect of what constituted unsecured information. The proposal does no such thing. Currently, the FTC has some broad but vague power to promulgate regulations under section 107(c). We would expect this to get remedied in the legislative process, if the proposal goes that far.

The proposal allows for notice by mail, phone, or email, if the individual has consented to that form of consent. Notice to media is available if more than 5,000 individuals are affected. The notice must include a description of the categories of sensitive personal information involved in the breach, a toll-free number to call, and the toll-free phone numbers for the three credit reporting agencies and the FTC. The proposal allows for states to include more information regarding the state’s victim protection assistance program. This appears to be the only area in the proposal that would allow divergences from state to state. Otherwise, Section 109 of the proposal would preempt all other state law relating to breach notification.

The proposal also requires the notification of credit reporting agencies and law enforcement agencies. The entities are to notify an entity designated by the Secretary of Homeland Security, who must then notify the Secret Service, FBI, and the FTC.

The proposal gives the FTC and the State Attorneys General enforcement powers. The proposal grants the FTC enforcement powers regardless of whether that entity falls under the FTC’s jurisdiction. However, the FTC must consult with the attorneys general before initiating an investigation. The proposal requires that the AGs notify the FTC of their enforcement actions before bringing an enforcement action. The FTC also retains the ability to stay, move, or consolidate actions in federal court. The proposal explicitly limits private causes of action relating to the new breach notification requirements.

Finally, the proposal excludes covered entities and vendors of personal health records that are already covered under the FTC and HHS regulations for HITECH. The effective date of the proposal is 90 days after its passage in Congress, which is a rather short period of time. The HHS and the FTC were allowed 180 days to promulgate regulations and they also provided delays in enforcement for breach notification when the HITECH regulations were finalized.

Cybersecurity Proposal

The Obama Administration proposal also includes a long awaited cybersecurity proposal that would go a long way to protect the critical infrastructure and critical information infrastructure from cyber threats. First, the proposal requires that the Secretary of Homeland Security enhance cybersecurity and cyber incident response. Second, the proposal establishes a cybersecurity protection program. Third, the proposal creates a regulatory framework around the protection of critical infrastructure.

The proposal requires the secretary to develop and maintain a risk-informed approach that improves information security of federal systems, promotes the development of technical capabilities in national cybersecurity goals, and promotes greater research, innovation, training, and investment in cybersecurity, amongst other things. Along with this approach comes the Secretary’s duty to conduct cybersecurity activities to protect critical information infrastructure. This requires the Secretary to create programs, conduct risk assessments, integrate new technologies, and create a center to serve as a focal point within the federal government for cybersecurity. To further these goals, the Secretary must carry out a cybersecurity program to protect federal systems from cybersecurity threats. The proposal also provides for privacy and civil liberties oversight due to the ability of the Secretary to intercept the content of communications associated with a known or reasonably suspected cybersecurity threat.

The proposed regulatory framework would require owners and operators of covered critical infrastructure to develop cybersecurity plans. These plans would be evaluated by non-governmental entities with expertise in the area based on accreditation processes developed by the Secretary. The entities would be required to provide annual certifications by their CEO or other accountable corporate officer that their plans have been developed, implemented, and evaluated.

Owners or operators of covered critical infrastructure are also required to promptly notify the Secretary of significant cybersecurity incidents under the proposal. Finally, the proposal gives the Secretary enforcement and rulemaking capacity relating to the proposed legislation.

Other Privacy Bills in Congress

Currently, there are several bills in the House and Senate relating to privacy. The Kerry-McCain bill primarily tracks the Department of Commerce green paper, while others range from anti-tracking proposals to comprehensive privacy legislation to breach notification.

Stearns – Matheson Data Accountability and Trust Act of 2011 introduces data breach related and privacy related obligations on covered entities. Most importantly, the bill requires notification of breaches to both the individuals and the FTC without unreasonable delay. Encryption and other methodologies determined by the FTC to render data unusable, unreadable, or indecipherable, create a presumption that there is no reasonable risk of identity, theft, or fraud to the individual. This negates the duty to notify.

The breach notification provisions for agents or third party providers are unlike other state breach notification statutes or HITECH. The bill requires only that these third parties notify the entities for which they process the data. They need not notify the individuals. However, HITECH and other state laws allow the entities to work out who may be in a better position to notify the individuals. The bill allows for written and email notification, so long as the individual has consented or it is their primary method of contact, as well as substitute notice in the form of print or broadcast. The content of the notification is similar to the requirements under the Obama Cybersecurity proposal. The bill requires the FTC to promulgate regulations regarding the security of information maintained by entities that own or possess personal information. The bill includes specific security, audit, access, and verification requirements for information brokers. Finally, the bill gives the FTC and State AGs enforcement authority over the new requirements. Civil penalties may go up to $5 million. The bill would preempt any state law that requires information security and notification of individuals. As a result, state security regulations such 201 CMR 17 in Massachusetts would likely be preempted under this bill.

Stearns – Matheson Consumer Privacy Protection Act of 2011 establishes a national floor for breach notification for electronic unsecured personal information. Entities that collect, sell, disclose, or use personally identifiable information of more than 5,000 consumers during any consecutive 12 month period would be covered by the bill. The bill also requires that covered entities establish a privacy policy for their use of personally identifiable information and also provide privacy statements to consumers. Covered entities would also be required to update consumers on changing privacy practices under the bill. Consumers would also be able to preclude the sale of their personal information for purposes other than those required under the transaction they are engaging. The bill also requires covered entity to establish security procedures to prevent the unauthorized disclosure of personally identifiable information. The bill also provides for self-regulation and dispute resolution. The FTC would have jurisdiction for enforcement for violations of new requirements.

Kerry – McCain Commercial Privacy Bill of Rights Act of 2011 provides the FTC with rulemaking authority regarding transparent choice and tracking on the internet. The bill applies to entities collecting information concerning more than 5,000 individuals during any 12-month period who are subject to FTC authority, common carriers, or non-profit entities. The bill would also apply to personal information and unique identifier information, or any other information used with that information to identify an individual. The bill allows State AGs to bring enforcement actions, but preempts certain state law. The bill also authorizes co-regulatory framework with safe harbors with participation from the Department of Commerce. This bill would not affect GLBA, FCRA, HIPAA, COPPA, CAN-SPAM, ECPA, or VPPA.

The Jackie Speier H.R. 614 Do Not Track Me Online bill directs the FTC to create a do-not-track mechanism. It would apply to entities that collect covered information from more than 10,000 individuals in a 12-month period. The bill broadly defines covered information to include user information and unique identifiers, such as IP addresses. It includes FTC rulemaking and enforcement authority. This bill also provides for State AG enforcement authority.

The Rockefeller Do-Not-Track Online Act of 2011 is similar to the Speier bill. This bill would also require the FTC to promulgate regulations to address tracking online. The bill allows the State Attorneys General and the FTC to bring enforcement actions for violations of the regulations. The bill allows for maximum civil liability of $12 million.

The Bobby Rush H.R. 611 “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” or BEST PRACTICES Act is reintroduced for this year. It is a comprehensive privacy bill and also provides for FTC enforcement.

Conclusion

It is not unusual to have one or two privacy bills in Congress in any given year. However, this year is particularly busy and there appears to be bi-partisan support for some of these bills. When we add the urgency created by the FTC and DoC privacy papers and the Obama Administration’s focus on breach notification and cybersecurity, we may finally see a legislation pass that may affect privacy and breach notification on a national scale this year.

FTC Settles with Google over Buzz Rollout, Enforces Section 5 and Safe Harbor

2011-04-01T12:49:00.001-04:00

By Mehmet Munur

The Federal Trade Commission announced on March 30^th that it settled with Google over the rollout of its Buzz service. The FTC alleged deceptive trade practices under Section 5 for the enrollment of users without their explicit consent in violation of Google’s own privacy policy. The enforcement action highlights the importance of aligning privacy policies with privacy practices. The enforcement action is also the first substantive enforcement of the US-EU Department of Commerce Safe Harbor.

The FTC complaint explains how Google rolled out its Buzz service to its Gmail users with a splash screen that introduced them to Google Buzz, a social networking service allowing users to share updates much like any other social networking service. The users were given two options: “Sweet! Check out Buzz” or “Nah, go to my inbox.” (The screenshots are included in the exhibits to the complaint.) The complaint further explains that even if users selected “Nah, go to my inbox,” the users could be followed by others who were enrolled in Buzz, their public profiles could appear in the profiles of others who had enrolled, and could be automatically enrolled if they later clicked on the Buzz link in their inbox, among other issues. In short, the FTC alleges that users were enrolled in a product without their explicit consent or an explanation of how their actions may affect their public profiles.

These actions, however, conflicted with Google’s statements on its privacy policy. Google’s privacy policy states that it would not use personal information in a manner other than for the purposes for which the information was initially collected or as later consented to by the user, as Google was required to do under the EU Safe Harbor and probably the FTC Toysmart settlement. Therefore, the FTC concludes that the automatic enrollment of users in the Buzz program in the absence of an explicit consent while representing that Google would get the user’s consent was a deceptive trade practice.

The resulting settlement agreement requires Google not to misrepresent:

A. the extent to which respondent maintains and protects the privacy and confidentiality of any covered information, including, but not limited to, misrepresentations related to: (1) the purposes for which it collects and uses covered information, and (2) the extent to which consumers may exercise control over the collection, use, or disclosure of covered information.

B. the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other entity, including, but not limited to, the U.S.-EU Safe Harbor Framework.

The settlement agreement shares attributes of the previous settlement agreements that FTC reached with Sears, Twitter, and others. It requires Google to implement a proactive privacy program, one that is reminiscent of privacy by design. For example, the program must identify reasonably foreseeable material risks and the sufficiency of safeguards to control those risks. Google is subject to the usual 20 year biennial audit requirements. Additionally, the FTC requires that Google disclose to the user any sharing of user’s identified information in a document separate from its privacy policy, terms of use, or EULA and obtain express consent from those users. This type of disclosure, which the FTC first required in the Sears enforcement action, is likely to be carried on to other FTC privacy enforcement actions.

The FTC Google Buzz enforcement action is also the first substantive Safe Harbor enforcement. FTC’s first enforcement action against Balls of Kryptonite was more focused on fees, service, and shipment policies of an ecommerce merchant than privacy. The second set of Safe Harbor settlements were technical violations of the Safe Harbor. Six companies represented that they were part of the Safe Harbor when their certifications had expired years ago. However, the Google Buzz enforcement action represents the next stage. Google failed to live up to the Notice and Choice Principles of the Safe Harbor, with which it promised to comply.

The enforcement action also stands in distinction with the FTC’s unwillingness to take any action against Google regarding the Wi-Fi gate. While the FTC closed the Wi-Fi gate without an enforcement action, to my knowledge, it is the first privacy regulator to act on the Buzz issues. On the other hand, the French Data Protection Authority recently imposed a €100,000 fine on the same issue. However, considering that Google’s actions took place not on a website, but in a car, the FTC may instead be allowing the State Attorneys General to take a closer look at that issue.

Finally, I would like to take issue with Google’s use of “Sweet! Check out Buzz” and “Nah, go to my inbox” to attempt to allow users to accept or decline an offer. Agreements need not always be replete with legalese. Google was not required to state “I hereby represent that I have read and agreed to the Terms and Conditions of Google Buzz and would like my profile to be public and shared with others and any information to be used for any other purpose represented in the Google Buzz Privacy Policy” in the splash page. Even if it had, due to its practices, it would still have likely violated the Section 5 of the FTC Act. However, Google’s use of such fluffy provisions are not the most effective means of forming agreements online nor of informing users about their rights. One can agree to an offer in many ways, including using the word awesome!, but proving this assent in a court of law may be challenging.

In conclusion, the FTC Google Buzz enforcement action provides an interesting mix of issues by throwing together privacy by design, the EU Safe Harbor, aligning privacy policies with privacy practices, and enforcement of agreements online.

FTC Announces Behavioral Tracking Enforcement Action

2011-03-14T15:19:00.001-04:00

By Mehmet Munur

The Federal Trade Commission announced an enforcement action today against an online advertising network that restarted tracking of users 10 days after those users had opted out of online tracking. This is likely the first FTC enforcement action in the behavioral tracking context and likely the first time browser cookies played a central role in an FTC enforcement action. The enforcement action sets a serious precedent for importance of making accurate statements regarding the use of behavioral tracking and following through on those statements.

The consent order also includes numerous requirements regarding the deletion of data, displaying new notices regarding the opt-out, and developing a method of opting out apart from the controls already present in users’ browsers. Clearly, the FTC remains willing to bring enforcement actions against online practices it believes to be deceptive, regardless of congressional action in the field of online behavioral tracking and regardless of how small the harm may seem.

Chitika is an online advertising network and works in the field of online behavioral targeting. Chitika tracks its users with the aid of browser tracking cookies placed on a user’s device. Chitika adds information to the tracking cookie about the user’s browsing activities after it is set and uses this information to serve the user with relevant advertisement. However, this tracking, according to the FTC, is “not visible to the consumer, unless the consumer uses sophisticated web diagnostics tools.” Furthermore, the FTC was concerned that the tracking would continue indefinitely so long as the user visited a website using the Chitika network with the same browser.

In its complaint, the FTC also alleges that Chitika implied that its tracking would cease for a reasonable period of time but that the tracking resumed after 10 days. As a result, Chitika’s representations were deceptive. Chitika’s privacy policy played a central role. It stated:

When users visit a page in the Chitika network, one or more cookies - a small file containing a string of characters - are set to the computer that uniquely identifies the users (sic) browser. Chitika uses cookies to improve the quality of the targeting service by storing anonymous activity data and tracking user trends, such as how people search and browse. Users can reset their browsers to refuse all cookies or to indicate when a cookie is being sent. . . . Chitika encourages and promotes business practices that protect and honor the privacy of users. You can opt-out of receiving Chitika cookies by using the button below.

After users clicked the opt-out button, Chitika told the user that they were opted out. However, these opt-out cookies expired after 10 days and Chitika restarted tracking after this time. Users were not told that the opt-out cookie would expire after 10 days. The FTC concludes that Chitika represented “expressly or by implication, that when consumers opt out of targeted advertising by Chitika, such opt-out [would] last for a reasonable period of time.” The fact that the tracking resumed after 10 days, resulted in deception in the FTC’s view.

The consent order that followed the FTC investigation requires Chitika not to

misrepresent in any manner, expressly or by implication: (A) the extent to which consumers may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities, or (B) the extent to which data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.

The consent order also requires Chitika to place disclosures on its websites about the expired opt out and

provide a mechanism, separate and apart from any preferences or controls offered by consumers’ browsers, to enable Chitika users to prevent respondent from collecting data that can be associated with a Chitika user or a Chitika user’s computer or device, or that contains any unique identifier, including Chitika user ID or Internet Protocol (IP) address; from redirecting Chitika users’ browsers to third parties that collect data, absent a click or other affirmative action by such Chitika user; and from associating any previously collected data with any Chitika user’s computer or device. This mechanism shall require no more than one additional click for consumers to exercise their choice(s), and shall remain in effect for a minimum time period of five (5) years, unless the consumer deletes his or her cookies or takes deliberate action to disable the mechanism.

Finally, within 90 days, Chitika must include a link in its ads to the website that would allow individuals to opt out of the tracking. Chitika must also destroy all IP addresses and unique identifiers and all information stored in user’s cookies.

As is typical of FTC enforcement actions, the order lasts for 20 years. However, there is no biennial audit requirement. Instead, for a period of 5 years, Chitika must maintain and make available to the FTC any documents, that relate to the collection of information from users, including FAQs, privacy policies, and Terms of Use.

This most recent enforcement action from the FTC is not unexpected. FTC recently released the Do Not Track report that we blogged about. There, the FTC stated that consumers should be entitled to choice about online behavioral tracking and that

The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads. Commission staff supports this approach, sometimes referred to as “Do Not Track.”

Thus, the Chitika enforcement action is completely in line with the persistent online tracking choices that FTC would like to encourage.

The FTC now reiterates its willingness to change practices in the arena of online behavioral tracking by putting the cookies center stage. It is also noteworthy that the enforcement action comes before the Do Not Track report is finalized. After all, that report was a preliminary report.

As a result, statements and practices about cookies, especially behavioral tracking cookies, are now more important than ever. These practices will only increase in importance as the FTC reviews all the comments relating to its report and issues a final report. It appears that regardless of legislation in this area, the FTC will continue to bring enforcement actions against deceptive practices relating to behavioral tracking.

6th Circuit Rules Warrantless Email Collection under the Stored Communications Act Unconstitutional

2010-12-20T16:50:00.000-05:00

By Mehmet Munur

The 6^th Circuit Court of Appeals ruled on December 14^th that the defendant had a reasonable expectation of privacy in his email stored by his Internet Service Provider and that the government violated his 4^th Amendment rights by conducting warrantless searches of his email. However, due to the government’s good faith reliance on the Stored Communications Act, the emails did not have to be excluded in a trial against him. The case highlights the need to modernize the Electronic Communications Privacy Act, which includes the Stored Communications Act at issue.

Steven Warshak owned and operated small businesses that sold Enzyte, an herbal supplement. His companies had annual sales of $250 million and featured a media campaign that included television ads for Smiling Bob. However, the company also used an auto-ship feature that continued to send the customer products until the customer cancelled the subscription, which resulted in 1,500 complaints to the Better Business Bureau. The companies also concocted plans to bury the disclosure regarding the auto-ship feature. As a result, the companies ran into chargeback issues and had a merchant account terminated at one point. This led to schemes to decrease the percentage of chargebacks by splitting transactions into two, and then into three, and even creating bogus transactions on Warshak’s personal credit cards to balance out the chargebacks.

To build the case against him, the government obtained nearly 27,000 emails from Warshak's ISP without a warrant but relied on the SCA, which permits a governmental entity to compel an ISP to disclose the contents of electronic communications. Over a year after they obtained the emails, the government notified Warshak about the access to his email, as required under the SCA. Thus, Warshak obtained an injunction against the collection of his email in the future. Meanwhile, a grand jury in the Southern District of Ohio returned a 112-count indictment against Warshak and co-defendants on charges of mail, wire, and bank fraud, and money laundering, amongst other crimes. After a trial based on the emails and other evidence, Warshak was sentenced to 25 years imprisonment and ordered to surrender nearly half a billion in proceeds.

During his first visit, in 2007, the Circuit Court reviewed the injunction issued by the district court “enjoin[ing] additional seizures of e-mails from an ISP account of any resident of the Southern District of Ohio without notice to the account holder and an opportunity for a hearing.” Initially, the 6^th Circuit slightly modified this injunction, but an en banc panel, in 2008, reviewed this decision and vacated it on ripeness grounds. This latest 6^th Circuit opinion is Warshak’s third visit and ripeness is not an issue because he has already been convicted. Moreover, two members of this most recent panel were part of the en banc panel that had vacated the 2007 decision, which suggests a similar result in the event of an en banc review.

On this latest visit to the 6^th Circuit, Warshak, once again, argued that the government’s seizure of his private emails from his ISP constituted a violation of the 4^th Amendment prohibition on unreadable searches and seizures. The Circuit Court first analyzed Warshak’s subjective expectation of privacy and easily found it to be satisfied in the case. The Circuit Court then turned to whether society is willing to recognize Warshak’s expectation of privacy in his email as reasonable. The court noted that “[s]ince the advent of email, the telephone call and the letter have waned in importance, and an explosion of Internet-based communication has taken place. People are now able to send sensitive and intimate information, instantaneously, to friends, family, and colleagues half a world away.” After reviewing Supreme Court precedent relating to communication by phone and letter, the court then stated that “[i]f we accept that an email is analogous to a letter or a phone call, it is manifest that agents of the government cannot compel a commercial ISP to turn over the contents of an email without triggering the Fourth Amendment.”

The Circuit Court then addressed the government’s argument that Warshak’s agreement with his ISP reserved a right to access Warshak’s email. However, the Circuit Court countered that neither the ability of someone to intercept the communication nor the right of access diminished the reasonableness of the user’s expectation of privacy. Electronic Frontier Foundation’s amicus brief proved useful for this part of the opinion as it pointed out that even telephone companies have similar provisions in their agreements with their subscribers. Nevertheless, the Circuit Court also stated that an ISP’s “intention to ‘audit, inspect, and monitor’ its subscribers’ email . . . might be enough to render an expectation of privacy unreasonable.” Nevertheless, the court held that:

a subscriber enjoys a reasonable expectation of privacy in the contents of emails “that are stored with, or sent or received through, a commercial ISP.” . . . The government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without first obtaining a warrant based on probable cause. Therefore, because they did not obtain a warrant, the government agents violated the Fourth Amendment when they obtained the contents of Warshak’s emails. Moreover, to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.

Despite this unconstitutionality, the government relied in good faith on the SCA while obtaining Warshak’s emails. Therefore, the Circuit Court upheld the trial court’s refusal to exclude the evidence against him. As a result, at least in the 6^th Circuit, the government should not be able to rely in good faith on the SCA to obtain emails without warrants in the future.

The SCA has been under criticism for some time. Earlier this year, Digital Due Process Coalition, issued principles regarding the need to update the ECPA, which includes the SCA at issue in this case. It is no surprise that companies such as Microsoft, Google, AT & T, Facebook, and others are increasingly concerned with compliance with this aging legislation. A judicial solution may provide a much needed, but narrow, remedy to re-introduce the constitutional protections to electronic communications. However, a legislative solution would likely be more efficient as it would resolve other issues pertaining to location information, which is a natural part of mobile phone internet access, and private Facebook messages, which are not all that different from emails. Therefore, this holding should reinvigorate the debate concerning updates to ECPA that would better adapt constitutional protections to changing technologies, allow businesses to comply more efficiently with the law without losing consumer confidence, and still provide law enforcement with the capabilities to monitor communications while staying within the boundaries of the protections of the Constitution.

The case is US v. Warshak, Nos. 08-3997/4085/4087/4212/4429; 09-3176, (6th Cir., Dec. 14, 2010), available at http://www.ca6.uscourts.gov/opinions.pdf/10a0377p-06.pdf.

FTC Releases Staff Report on Proposed Framework for Collection of Consumer Information

2010-12-01T20:26:00.000-05:00

By Mehmet Munur

The Federal Trade Commission released a preliminary staff report titled Protecting Consumer Privacy in an Era of Rapid Change that proposes three new principles of Privacy by Design, Simplified Choice, and Greater Transparency to supplement its notice/choice and harm based model to address the commercial use of consumer information. The proposed scope of the staff report is all commercial entities that collect or use consumer data that can reasonably be linked to a specific consumer, computer, or other device. When finalized, this framework may require major changes to the way companies draft, present, and abide by privacy notices and the way consumers make choices when their information is collected. However, the report is only preliminary and the FTC is seeking comments on the proposed framework, including whether it should recommend legislation in this area if the private sector is unable to implement a uniform effective choice mechanism.

In its news release, the FTC states that the it is not satisfied with “industry efforts to address privacy through self-regulation,” which “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The report also suggests that the FTC’s notice/choice and harm based model's shortcomings coupled with the advances in technology necessitate a new framework. The FTC came up with these new principles based partly on the three roundtables conducted in the past year, which found that collection of consumer information was ubiquitous, consumers did not understand this collection and could not make meaningful choices, privacy was important to consumers, and the distinction between personally identifiable information and anonymous information was blurring.

Using this new framework, under the Privacy by Design principle, the FTC proposes that companies incorporate substantive privacy protections into their practices, including data security, collection limitations, retention practices, data accuracy, training, and assigning employees to oversee privacy issues.

Under the Simplified Choice principle, FTC suggests that companies need not provide notice regarding commonly accepted practices, such as service fulfillment, internal operations, fraud prevention legal compliance, and first-party marketing. However, the FTC suggests that companies should offer consumers informed, meaningful, clear, concise, just-in-time choices for uses that are not commonly accepted. The FTC also suggests that Do Not Track technology may have to be implemented to accomplish this goal in the behavioral advertising arena, but that its implementation will have to differ from the Do Not Call registry due to the differences in technology.

Under the Greater Transparency principle, the FTC suggests that privacy notices should be clearer, shorter, and standardized. Additionally, under this principle, companies should provide consumers with reasonable access to their information, obtain express consent before using consumer information in a materially different manner than claimed when the information was collected, and educate consumers. The FTC recommends that companies standardize the format and terminology of these notices and offers GLBA notices as guidance. Therefore, the new framework may require the rewrite of all online privacy policies, especially if it requires standardized forms and terminology. At a minimum, it may require privacy policies to be adjusted for a layered approach.

At times, the report raises more questions than it answers. The report includes 6 pages of questions for comments to be submitted to the FTC. It also leaves the legislative door open, but recommends robust, enforceable self-regulation. It is also broad in scope. It mentions everything from deep packet inspection to flash cookies to HTML 5 evercookies.

Nevertheless, the FTC reiterates its willingness to “take action against companies that cross the line with consumer data and violate consumers’ privacy – especially when children and teens are involved.” The day before the announcement of the staff report, the FTC also announced an enforcement action against EchoMetrix regarding the disclosure of children’s information to third party marketers without adequate disclosure to parents.

Facebook Faces Renewed Privacy Challenges

2010-10-19T13:43:00.003-04:00

By Mehmet Munur

The Wall Street Journal reports that a Facebook user ID may be inadvertently shared by a Facebook application and may then be further transferred to other third parties. While this sharing is similar to the sharing issues Facebook experienced last spring, incidents such as these are only likely to increase calls for accountability and privacy by design principles in privacy enforcement.

WSJ reports that the top ten most popular apps on Facebook were found to be transmitting users’ IDs to third parties. WSJ reports that the apps were sending data to 25 other firms, some of which build profiles on users. WSJ further found that at least one firm that received this information combined it with its own database and then sold it to other third parties. Facebook Developer Principles and Policies requires that user data not be used “for any purpose off of Facebook, without user consent.” This sharing by apps with third parties likely violates this provision of the Facebook policy. Thus, WSJ contends that some of these apps may have violated the Developer Principles and Policies as well as the developers’ own privacy policies.

Facebook responded by shutting down some of those apps since the WSJ story ran. Facebook also responded with this developer blog post stating that the sharing of user IDs was inadvertent and that the press “exaggerated the implications of sharing.” Instead, the post focused on how the sharing of the user ID did not allow the sharing of “private user information.”

However, when it comes to advertising and behavioral tracking, the FTC has stated in its 2009 Staff Report that

in the context of online behavioral advertising, the traditional notion of what constitutes PII versus non-PII is becoming less and less meaningful and should not, by itself, determine the protections provided for consumer data. . . . In staff’s view, the best approach is to include within the Principles’ scope any data collected for online behavioral advertising that reasonably could be associated with a particular consumer or with a particular computer or device.

Considering that the user IDs are unique, means that the information can easily be identified with an individual. Whether or not “private” information is shared appears to be beside the point.

Additionally, the ecosystem for the sharing of information about individuals highlighted by the WSJ article is not new. In fact, the FTC has highlighted these issues in its roundtable. This flow chart describes in detail how personal information may be shared among entities. Mostly due to the complexity of these data flows, regulators in both the EU and the US are pushing for principles such as accountability and privacy by design.

You may read more by the WSJ on the What They Know series here and watch the FTC roundtables here.

Best Lawyers in America/Best Law Firms in America

2010-09-30T13:17:00.012-04:00

Columbus-OH Tier 1
Information Technology Law

U. S. News & World Report and Best Lawyers in America have joined to rank 8,903 firms in 81 practice areas in 171 metropolitan areas and 7 states. We are pleased that Tsibouris & Associates, LLC has been chosen to be recognized and included in the U.S. News - Best Lawyers "Best Law Firms" inaugural 2010 edition, ranking as a Best Law Firm in Columbus, Ohio in the practice area of Information Technology Law. To read more about the release of the 2010 Best Law Firms rankings, click here.

Dino Tsibouris of Tsibouris & Associates, LLC was also selected to be included in the 2011 edition of The Best Lawyers in America in the specialty of Information Technology Law. The Best Lawyers in America is a publication of the most respected attorneys in their fields, which has been known to be a very valuable referral list of attorneys in practice. Inclusion in Best Lawyers is determined by more than 2.8 million evaluations and votes cast by the top attorneys in the country. To read more about the selection process, click here.

Court Upholds Website Terms of Use But Loss Does Not Satisfy the CFAA

2010-09-29T15:21:00.000-04:00

By Mehmet Munur

A district court in Maryland recently upheld a real estate company’s website terms of use, but held that the unauthorized use by the defendants and the lost revenue from this unauthorized access did not satisfy “loss” as defined by the Computer Fraud and Abuse Act. The case demonstrates how important drafting accurate Terms of Use, obtaining click-through assent, and keeping track of each login via logs can be for the enforcement of website terms of use.

CoStar provides commercial real estate information through its website. The website includes a database with photographs of real property and enables its users to find property for sale or rent. The photographs are taken by CoStar’s field researchers and CoStar registers the photos for copyright protection. CoStar enters into a License Agreement and charges users a subscription fee. Users are then issued usernames and passwords to access the website. CoStar logs the logins for each username using IP addresses. The login prompt states “Login/Use Subject to Terms” underneath the fields for username and password. This prompt also includes a functioning link to CoStar’s Terms of Use.

The Terms of Use prohibit the sharing of login information with other users. It also prohibits unauthorized users from accessing the website. The Terms of Use also define an authorized user as “an individual (a) employed by a CoStar Client or an Independent Contractor (as defined below) of a CoStar Client at a site identified in the License Agreement, and (b) who is specified in the License Agreement as a user of a specific Passcode-Protected Product.” In addition to the login prompt, CoStar also required its users to accept the Terms of Use when they logged into the site for the first time and at periodic intervals throughout the license term.

Mark Field, who was doing business as Alliance Valuation Group, entered into a license agreement with CoStar in 2002. The License Agreement named Brad Christensen, who was part owner and president of Pathfinder Mortgage Company, as an employee of Alliance Valuation Group and an authorized user. In 2005, CoStar realized that Brad Christensen was no longer affiliated with Alliance Valuation Group and terminated his account.

CoStar alleged in its complaint, based on its logs, that Mark Field shared his username and password with Brad Christensen and Pathfinder Mortgage Company through 2008. In fact, CoStar alleges that Pathfinder Mortgage Company’s IP addresses were recorded over 60 times accessing CoStar’s database. At least two occasions, CoStar’s logs showed that Field’s username and password were used simultaneously by the IP addresses generally associated with Pathfinder Mortgage Company and Alliance Valuation Group. Finally, CoStar alleges that Alliance Valuation Group also listed others as authorized users under its agreement with CoStar, who in return listed yet other people as authorized users for a fee. All told, CoStar alleged that it had at least 200 unauthorized accesses to its website over a 43-month period.

CoStar brought actions for copyright infringement, breach of contract, and violation of the Computer Fraud and Abuse Act against Field, Alliance Valuation Group, Christensen, Pathfinder Mortgage Company, and others. Parties filed for summary judgment against one another, amongst other motions. CoStar succeeded in its motion for summary judgment in the breach of contract, copyright infringement, and fraud claims, but failed in its CFAA claim.

The court found that Pathfinder and all non-licensed parties were bound by the Terms of Use and relied on Motise v. America Online, 346 F. Supp. 2d 563 (S.D.N.Y. 2004). Motise involved the use of an AOL account by two different members of the family, one of whom signed up for the account and was given notice of the terms and the other who used the account but did not receive notice. The Motise court, much like this court, held that the parties had received derivate notice. Furthermore, the court found that defendants did not provide any evidence to refute CoStar’s logs, which the court found persuasive. Therefore, Pathfinder was bound by the Terms of Use even though it “may not have affirmatively clicked the ‘agree’ button before entering the database.” Thus, CoStar won the motion for summary judgment on its behalf.

The court then turned to the CFAA claim and noted that the act offered a private cause of action for those who suffered damage or loss due to a violation of the CFAA. The act further defines “loss” as “any reasonable cost to the victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service,” which must exceed $5,000. CoStar argued that the value of the license fees it would have made had the unauthorized access to its website were properly authorized at $300,000. Here, the court outlined the difference of opinion among different courts regarding the definition of “loss” covered by the CFAA. The court sided with the approach that only allowed for lost revenue when it “was ‘incurred because of interruption of service.’” The court cited other cases holding that the type of damage that Congress meant to relieve with the private cause of action in CFAA were the type resulting from a hacker type attack. The court held that “a violation of the CFAA must cause an interruption of service in order for lost revenue to constitute as a qualifying ‘loss’ under the statute because, otherwise, the language of ‘because of interruption of service’ in the definition of ‘loss’ would be inoperative and violate a rule of statutory interpretation.”

A recent and interesting case involving unauthorized access to a database with a CFAA claim was Snap-On v. Business Solutions v. O’Neil & Associates, Inc. No. 509-CV-1547, (Apr. 16, 2010 N.D. Ohio). There, Mitsubishi hired Snap-On to build a searchable online database for use by its dealers. Snap-On used printed parts catalogs and photos to put together a database for Mitsubishi and hosted the database on its servers. The license agreement between Snap-On and Mitsubishi required that Mitsubishi be responsible for assigning and security of the usernames, passwords, and their use only by dealers and their agents. Snap-On’s agreement governing the use of the database had terms similar to the terms that CoStar used on its website that limited use to authorized users.

Then Mitsubishi decided to change service providers from Snap-On to its competitor O’Neil & Associates. When Snap-On offered to give Mitsubishi the database it had created for Mitsubishi for an additional fee, Mitsubishi balked. It hired O’Neil & Associates to scrape the Snap-On database. However, the scraping crashed Snap-On’s server on at least two occasions and impaired server condition and quality. Snap-On spent 200 hours diagnosing the issue. Snap-On also blocked the IP addresses that O’Neil & Associates used to access the website only to result in O’Neil using different IP addresses in its next attempt. The court held in the motion for summary judgment that Snap-On had pleaded enough facts to survive the motion for summary judgment in the CFAA claim. O’Neil did not contest Snap-On’s loss under the CFAA.

Though both CoStar and Snap-On were subject to access of their databases using legitimate usernames and passwords by unauthorized users, CoStar’s database use did not rise to the level that allowed Snap-On to succeed in the motion for summary judgment. Snap-On demonstrated service interruption with its servers crashing, traffic escalating, and long hours of diagnostics. However, CoStar only experienced about 260 unauthorized logins over a 43-month period with no apparent effect on service quality. Though there are a great number of CFAA cases touching on both “loss” and “unauthorized” aspects of CFAA claim, based on these two cases, courts are more likely to be persuaded by “losses” that Snap-On demonstrated in its CFAA claim than CoStar’s “losses.”

Nevertheless, CoStar properly defined “authorized users” in its Terms of Use, obtained a click-through assent on first use, obtained intermittent click-through assent on other occasions, provided notice of the terms in each login, and, most importantly, kept track of each login in its logs. Website operators must ensure that their websites are built in similar ways (possibly with the addition of obtaining assent to terms at login in addition to notice of terms at login) and evidence is kept and presented in a similar fashion to ensure that their online agreements remain enforceable.

The case is CoStar Realty Information, Inc. v. Field, 8:08-cv-00663-AW (D. Md. Aug. 23 2010).

You may read more about Snap-On v. Business Solutions v. O’Neil & Associates, Inc. No. 509-CV-1547, (Apr. 16, 2010 N.D. Ohio) and other cases involving the dangers of outsourcing without having proper controls in place by Venkat Balasubramani and Eric Goldman at Eric Goldman’s blog.

You may read more about the issues concerning personal jurisdiction that were previously litigated in CoStar Realty Information, Inc. v. Field, 612 F. Supp. 2d 660 (D. Md. 2009) from Evan Brown.

FTC Announces Settlement with Twitter and Article 29 Working Party Issues Opinion on Behavioral Advertising

2010-06-24T14:16:00.001-04:00

By Mehmet Munur

Today, the FTC announced its settlement with Twitter on the charges relating to the 2009 security breach involving the comprise of a Twitter employee’s account. The FTC settlement specifically highlighted Twitter’s failure to put in place common sense security procedures, such as hard to guess passwords, expiring passwords, and restricting administrative controls to only employees that needed them. Under the settlement, Twitter will be barred from making misleading statements on security, privacy, and confidentiality of information for 20 years and it will need to go through biennial third-party security audits for 10 years. You may read more about the settlement from the FTC website.

Unrelated to the FTC settlement, the Article 29 Working Party released an opinion on behavioral advertising. A29WP reiterated that the behavioral advertisers and the cookies or other devices they used were governed by Article 5(3) of the E-Privacy Directive. The use of such devices and any information that may be deemed personal information will also be governed by the Data Protection Directive. Thus, the A29WP pushed for opt-in consent for the use of such technology. Additionally, the opinion stated that “to keep data subjects aware of the monitoring, ad network providers should: i) limit in time the scope of the consent; ii) offer the possibility to revoke it easily and iii), create visible tools to be displayed where the monitoring takes place.” The A29WP is also soliciting comments as to the ways of achieving opt-in consent without burdening web users with too many notices. You may read the full text of the opinion here.

Supreme Court Reverses 9th Circuit on the Employee Electronic Communications Case

2010-06-20T16:00:00.000-04:00

by Mehmet Munur

On June 17, 2010, the Supreme Court of the United States held in a unanimous opinion that the unauthorized search of a state employee’s text messages on his employer provided text-messaging pager did not violate the employee’s Fourth Amendment rights. The Supreme Court reversed the 9th Circuit, which we had previously blogged. However, the Supreme Court decision was very narrow, assuming instead of deciding whether the employee’s expectation of privacy was reasonable. Nevertheless, the Court still highlighted the importance of clear communication of employee policies as well as their consistent implementation.

The case arose from Ontario Police Department’s review of text messages by a member of its SWAT team, Jeff Quon. The Police Department provided its employees with two-way text messaging pagers in order to make it more efficient for dispatchers. When Officer Quon and others went over the allotted character limit, they paid for their overage charges. An understanding formed between the employees and their supervisors that the employees would have to pay the charges unless they wanted their text messages audited to determine whether the use was personal or business related. Then, Lieutenant Duke got tired of collecting bills and decided that the text messages should be audited to determine whether they were being used for business or personal use. A review of the transcripts by the city officials showed that some of the text messages were personal. This resulted in an internal investigation to determine whether the pagers were being used during work hours for personal use.

As a result of this investigation, Sergeant Quon and four other officers filed a complaint against the Chief of Police, the City of Ontario, and Arch Wireless under the Stored Communication Act (“SCA”) and the Fourth Amendment, among others. The 9th Circuit reversed the district court on the SCA claim. The Supreme Court reversed the 9th Circuit.

The Supreme Court started out with the discussion of the 4th Amendment jurisprudence, including the case of O’Connor v. Ortega, where the Court had discussed the importance of considering the operational realities of the workplace in determining the reasonableness of the expectation of privacy. However, instead of expanding on the O’Connor case, the Court simply assumed that Officer Quon had a reasonable expectation of privacy. This approach was likely due to the politics of the Court and the difficulty of obtaining a unanimous decision, their difficulty in understanding the technology, and their hesitation to make laws based on passing technologies. This is clear in the following section of the opinion:

The Court must proceed with care when considering the whole concept of privacy expectations in communications made on electronic equipment owned by a government employer. The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear. In Katz, the Court relied on its own knowledge and experience to conclude that there is a reasonable expectation of privacy in a telephone booth. It is not so clear that courts at present are on so sure a ground. Prudence counsels caution before the facts in the instant case are used to establish far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices.

Rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior. As one amici brief notes, many employers expect or at least tolerate personal use of such equipment by employees because it often increases worker efficiency. Another amicus points out that the law is beginning to respond to these developments, as some States have recently passed statutes requiring employers to notify employees when monitoring their electronic communications. At present, it is uncertain how workplace norms, and the law’s treatment of them, will evolve.

Even if the Court were certain that the O’Connor plurality’s approach were the right one, the Court would have difficulty predicting how employees’ privacy expectations will be shaped by those changes or the degree to which society will be prepared to recognize those expectations as reasonable. Cell phone and text message communications are so pervasive that some persons may consider them to be essential means or necessary instruments for self-expression, even self identification. . . .

A broad holding concerning employees’ privacy expectations vis-à-vis employer-provided technological equipment might have implications for future cases that cannot be predicted.

Citations omitted.

While the Supreme Court declined to decide on the law’s treatment of workplace norms and the use of technology, it still highlighted the important intersection of technology, workplace policies, and their administration in the following sentence:

employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.

Therefore, despite the narrow holding, the Court recognizes that employers cannot expect to write policies that decrease the expectations of privacy, then act in contradictory ways to increase these expectations, and still expect to end up with decreased expectations of privacy in the workplace. Thus, it is crucial that employers, whether government or private, draft clear policies on the use of technology for personal reasons, communicate them clearly, and execute them consistently.

The Court then moved onto the O’Connor criteria and held that Fourth Amendment was not violated. “The search was justified at its inception because there were “reasonable grounds for suspecting that the search [was] necessary for a noninvestigatory work-related purpose.” Due to the costs involved in using the pagers, the city of Ontario had a legitimate interest in conducting the search. “As for the scope of the search, reviewing the transcripts was reasonable because it was an efficient and expedient way to determine whether Officer Quon’s overages were the result of work-related messaging or personal use.” Therefore, the search was reasonable under the O’Connor plurality.

The case is City of Ontario v. Quon, No. 08–1332 (U.S. June 17, 2010).

District Court holds that Privacy Policy May Form Part of Contract but that Damages are Required for Action in Breach of Contract

2010-05-18T17:28:00.002-04:00

By Mehmet Munur

The District Court for the District of New Jersey recently held that a privacy policy when relied on could form part of a contract but that the party alleging breach of contract would have to show damages to survive a motion for summary judgment. The case adds to a long line of cases holding that it is very difficult to recover in a breach of contract claim based on a privacy policy. The case also highlights the difficulty some courts have had in classifying privacy policies as contract or policy.

Pro se Plaintiff and Comcast subscriber filed a lawsuit against TRUSTe, Microsoft, and Cisco Systems for blocking all of Plaintiff’s emails on at least two separate dates. Plaintiff called Comcast the first time and filed a complaint with TRUSTe the second time. Comcast claimed that it had received the blocking information from Cisco’s Ironport service. TRUSTe held against the Plaintiff in his complaint where he argued that Comcast had not sufficiently explained the reasons for blocking his outgoing email. Plaintiff had also filed a complaint against Microsoft for placing Plaintiff on its Frontbridge IP address blacklist on two previous occasions. Microsoft had not licensed Frontbridge through TRUSTe; therefore, TRUSTe did not render a decision on that complaint. Thus, the Plaintiff brought a pro se claim against all parties that included eight causes of action.

The court ended up dismissing the breach of contract claim against all parties. The court summarily dismissed the breach of contract claim against TRUSTe simply because “it is blackletter [sic] law that a gratuity without consideration does not form a contract.” Without the contract, the Plaintiff’s breach of contract claim went nowhere.

In addressing the breach of contract claims against the three remaining parties, the court had to consider whether their privacy policies were enforceable as contracts. Comcast, Cisco, and Microsoft argued that their privacy policies are insufficient to form a contract “because they are not definite and no consideration was given.” In his complaint against Comcast, the Plaintiff pointed to the Comcast Customer Privacy Notice regarding Comcast’s ability to block and filter spam email and the methods involved. The court held that the Notice was a part of the contract and examined other cases in the area that held that privacy policies could form part of a contract.

It is at this point that the court pointed to the divide among some courts on whether privacy policies are part of a contract or not. Specifically, the court compared Dyer v. Northwest Airlines, 334 F. Supp. 2d 1196 (D.N.D. 2004) (airline’s privacy policy posted on its website did not constitute a contract with its customers in the absence of an allegation that passengers read and relied on the policy) and In re Northwest Airlines Privacy Litig., 2004 WL 1278459 (D. Minn. June 6, 2004) (where plaintiffs alleged that they relied on the privacy policy but not that they had actually read it) with Meyer v. Christie, No: 2:07-cv-02230-JWL-DJW (D. Kan. Oct. 24, 2007) (holding that on a motion to dismiss, the court cannot agree with the characterization that the privacy policy is “nothing more than a mere unilateral statement of company policy”) and In Re Jet Blue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 325 (E.D.N.Y. 2005) (stating that that In re Northwest rests “on an overly narrow reading of the pleadings” and allowing the breach of contract claim to survive motion for summary judgment). The court sided with Meyer v. Christie and In Re Jet Blue because it was more persuasive. The court may also have been persuaded because it was a motion to dismiss and the Plaintiff was pro se.

Nevertheless, the fact the privacy policy was read, relied on, and thus became a part of the contract did not change the result. The Plaintiff must also show damages in order to succeed in a breach of contract claim. However, the Plaintiff had not pled any loss whatsoever. This result also is not surprising because the cases that the court cited to in its opinion regarding privacy policies as contracts also hold that claimants could not prove damages. Other cases not cited by the court such as In Re American Airlines Privacy Litig., No: 3:04-MD-1627-D, (N.D. Tex. May 25, 2005) (holding that the privacy policy could form a part of the contract but that the claimants have “failed to plead the essential element of damages flowing from the breach”) and Jackson Hewitt v. Pinero, No:2:08-cv-03535-SSV-DEK (E.D. La. Jan. 7, 2009) have come to similar conclusions. In fact, the Plaintiff in Jackson Hewitt sought damages for “fear, panic, anxiety, sleeplessness, nightmares, embarrassment, hassle, anger, lost time, loss of consortium, and other emotional and physical distress.” Even there, the Plaintiff’s breach of contract was dismissed because the Plaintiff did not sustain any legally cognizable loss or damage. Therefore, it is unlikely that damages based solely on the violation of privacy policies can be recovered in a breach of contract action.

The court then went on to dismiss the breach of contract claim against Cisco and Microsoft. There, the Plaintiff was unable to prove that there was a contract between himself and Cisco and Microsoft simply by pointing to their privacy policies. Furthermore, the Plaintiff did not complete the offer, acceptance, consideration triangle of contract formation to show that the privacy policies were a part of his contracts with the two companies. In fact, Microsoft and Cisco did not owe any contractual duties to the Plaintiff, but instead to Comcast, to whom they supplied the blacklist information.

In sum, the court’s holding on the issue of privacy policies are certainly not groundbreaking. However, it adds to the current discussion about role of privacy policies in contract formation.

You may also find Eric Goldman’s comments regarding the application of 47 USC 230 and this case here.

The case is Smith v. Trusted Universal Standards in Electronic Transactions, Inc., 1:09-cv-04567 (D.N.J. May 04, 2010). Note that the Plaintiff accidentally named the TRUSTe (True Ultimate Standards Everywhere Inc.) with Trusted Universal Standards in Electronic Transactions Inc.

NJ Supreme Court Addresses Privilege in Employee Web-Based Personal Email Accounts

2010-04-13T17:08:00.001-04:00

by Mehmet Munur

New Jersey Supreme Court ruled on March 30, 2010 that an employee did not waive attorney-client privilege to the emails she sent using her personal, web-based, password-protected email account from a computer owned by the employer. The employer had an Electronic Communication Policy that limited the employee’s expectation of privacy but did not explicitly discuss the use of personal email accounts on employer owned computers. The Court also stated in dicta that even a more clearly written policy would not be enforceable due to the public policy concerns over the attorney-client privilege. The Court also placed the burden of compliance with the ruling on attorneys by referring to the Rules of Professional Conduct. The case may require a re-write of electronic communication policies, at least as it relates to NJ employees. The case illustrates the importance of having clearly written policies that not only address the realities of personal use of employer-owned computers, but also the importance of properly implementing such policies.

The plaintiff, Marina Stengart, sued her former employer Loving Care Agency for employment discrimination. Stengart used the laptop provided by Loving Care to send emails to her attorney using her personal, web-based, password-protected Yahoo email account before turning in her laptop at the end of her employment. While she intended such communication to remain confidential, her laptop cached the emails in the temporary files folder. Loving Care imaged the laptop’s hard-drive for electronic discovery and found 7-8 of these emails, which had attorney-client privilege disclaimers. Attorneys for Loving Care reviewed these emails and referenced them in answering interrogatories. Plaintiff requested the immediate return of all other communication. Loving Care’s attorneys refused, Stengart moved for a temporary restraint. The trial court judge denied Stengart’s motion and found that the emails were not protected by attorney-client privilege because Loving Care’s Electronic Communication Policy had placed Stengart on notice that that the emails would be company property. The Appeals Court reversed and the New Jersey Supreme Court agreed with the Appeals Court. The New Jersey Supreme Court held that the Policy was ambiguous, that Stengart had both an objective and a subjective expectation of privacy, that the attorney-client privilege applied to the emails, and that the privileged had not been waived.

I. The Appeals Court Decision.

The Appeals Court overruled the trial court on four issues. First, the Appeals Court held that there was a genuine issue of material fact as to whether the Policy had been properly implemented. Second, it held that the Policy was ambiguous and that it did not specifically address web-based email use for personal reasons. Third, the Appeals Court held that the Policy was not enforceable due to the application of the attorney-client privilege. Lastly, it held that Loving Care’s attorneys were bound by the rules of professional conduct to bring the emails to the attention of the plaintiff’s attorneys or the court for a determination on the application of privilege.

First, the Appeals Court examined whether Loving Care’s Electronic Communication Policy had properly been implement. Stengart argued, with certification in support from former executives, that the Policy was not supposed to apply to Executives and that the Policy was not in effect during her time there. The Appeals Court concluded that there was a genuine issue of material fact as to whether the Policy applied to Stengart as an executive. The Appeals court relied on the multiple versions of the Policy that it found on the record with no information as to the effective dates of the Policy. This portion of Appellate Court Opinion highlights the importance of properly implementing Electronic Communication Policies. Such policies should be properly dated and properly disseminated to the workforce to extinguish any arguments that they are not applicable.

Second, the Appeals Court examined whether the terms of the Policy were sufficiently clear to warrant enforcement and whether the Policy covered the web-based Yahoo email account that Stengart used to communicate with her attorney. The trial court had held that the Policy put Stengart on notice that her communication would be subject to review as company property. The Appeals Court disagreed. Loving Care’s Electronic Communication Policy read:

[1] The company reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time, with or without notice. . . .

[2] E-mail and voice mail messages, internet use and communication and computer files are considered part of the company's business and client records. Such communications are not to be considered private or personal to any individual employee.

[3] The principal purpose of electronic mail (e-mail) is for company business communications. Occasional personal use is permitted.

The Appeals Court held that “company’s media systems and services” was not defined and it was not clear whether that included personal, password protected, web-based email accounts. Furthermore, the Appeals Court held that the lack of privacy for business communications conflicted with the occasional personal use that was permitted. Therefore, the Appeals Court held that the Policy was ambiguous.

Third, the Appeals Court turned to whether the Policy was enforceable. The Appeals Court examined the short history of employee manuals and their enforceability in contract theory. The Appeals Court wanted to reign in employee policies and wanted to create a reasonableness requirement on such policies before they could be enforced. Weighing the legitimate business interests of the employer against the interest in privacy of the employee, the Appeals Court appeared to argue that an employer could not make personal communications into company property by placing such language in a policy. Only after going into the history of employee-employer relationships and other cases in this area did the Appeals Court finally turn to the attorney-client privilege issues. The court held that “the company policy is of insufficient weight when compared to the important societal considerations that undergird the attorney-client privilege.”

Fourth, the Appeals Court addressed the issue of whether counsel for Loving Care had violated New Jersey Rule of Professional Conduct 4.4 requiring a “lawyer who receives a document and has reasonable cause to believe that the document was inadvertently sent . . . not [to] read the document [,] to, if he or she has begun to do so, . . . stop reading the document, [to] promptly notify the sender, and [to] return the document to the sender.” The trial court found that Loving Care’s attorneys did not have an affirmative duty to alert the plaintiff that it was in possession of the emails. The Appeals Court was not convinced and held that the Loving Care attorneys had violated the rule. The Appeals Court remanded the case to determine whether counsel should be disqualified.

Thus, the Appeals Court reversed the trial court, ordered the emails to be destroyed, and remanded the case for a hearing on disqualification of Loving Care’s attorneys.

II. The Supreme Court Opinion

The Supreme Court modified and affirmed the judgment of the Appellate court and created a bright line rule in dicta for attorney-client privileged communications from personal web-based accounts using employer owned computers. On appeal, the Supreme Court only addressed the ambiguity of the Policy, the application of the privilege, and the application of the ethics rule. Unlike the Appeals Court, the Supreme Court did not determine whether the Policy had been properly implement. Instead, the Court simply assumed that the Policy applied.

The Supreme Court agreed with the Appeals Court that the language of the written policy was ambiguous. The court then turned to the reasonable expectation of privacy by Stengart in her communications with her attorney. However, the Supreme Court did not take the same reasonableness approach to limit all employer policies regarding electronic communication as the Appeals Court did. Instead, the court distinguished between company provided email accounts and web-based personal email accounts based on 4th Amendment cases by analogy, tort of intrusion on seclusion, NERA v. Evans, Quon v. Arch Wireless, In re Asia Global Crossing, and others. The Court also emphasized the importance of company policies in diminishing the reasonableness of employee’s claim to privacy. The Court analyzed the reasonableness of Stengart’s expectation of privacy both objectively and subjectively. Her use of a web-based, password protected account—the password to which she did not save on her computer—led the Court to conclude that Stengart had a subjective expectation of privacy for the communication. The ambiguity of the Policy and the fact that it did not address personal email accounts led the Court to conclude that her expectation of privacy was objectively reasonable. The Court rejected any arguments of waiver as well and concluded that the communications were privileged.

The New Jersey Supreme Court also went one step further and created a bright line rule in dicta. Court did not mention the same reasonableness requirement in Electronic Communication Policies that the Appeals Court mentioned. Instead, the court stated that companies were free to “adopt lawful policies relating to computer use to protect assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies.” However, the Court stated that

Employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. . . . [E]ven a more clearly written company manual – that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password protected e-mail account using the company’s computer system – would not be enforceable.

The Court then turned to the ethics issue and agreed with the Appeals court. In effect, both courts appointed the attorneys for the employer as the custodian of an employee’s communication with his attorneys. Loving Care’s attorneys argued that the New Jersey Rule of Professional Conduct 4.4 was meant to address situations where attorneys inadvertently received communications from third parties and not this particular situation where the plaintiff had left them behind. The Court disagreed with the characterization of emails found in the cache of a browser as “left behind” and agreed with the Appeals Court in stating that the counsel for Loving Care had violated the New Jersey Rule of Professional Conduct 4.4 by not setting aside the privileged communications, and failing to notify its adversary or the court. Therefore, in New Jersey, if a company finds potentially privileged emails, its attorneys will be ethically bound to inform opposing counsel or the court about these emails before they use them, or risk disqualification.

With this decision, the New Jersey Supreme Court joins a line of cases, similar to NERA v. Evans, holding that attorney-client communications creates a special case for employer Electronic Communication Policies. However, it is unique for creating a bright line rule for attorney-client privileged emails using personal web-based email accounts. Additionally, by placing the onus of compliance with the rule on the attorneys instead of the businesses, the court ensures that the rule will be followed.

The decision is also important because the Supreme Court did not follow the reasonableness approach to Electronic Communications Policies that the Appeals Court wanted to put in place. Such an approach for the content of all Policies could not simply be based on the attorney-client privilege, but would have to have another basis in the tort of intrusion upon seclusion. Interestingly, the Supreme Court neither struck down, nor agreed with that portion of the Appeals Court opinion.

III. Conclusion

The New Jersey Supreme Court opinion demonstrates the importance of proper drafting and implementation of Electronic Communication Policies. Such Policies should be updated to take into effect the realities of employee’s use of personal web-based email use at work. Companies may either completely ban the use of employees’ personal use of company computers or allow such personal use but specifically address issues related to the privacy of such communications. Updating such Policies will allow companies to decide to what extent they will limit an employee’s expectations of privacy in the personal of use employer-owned computers. Either way, the employer’s decision regarding attorney client privileged communications must be accurately reflected in their policies, or such policies may not be upheld in court. Additionally, such policies should be properly dated and properly disseminated to the workforce to extinguish any arguments that they are not applicable.

Insurance Provider Settles Case Due to Deficiencies in Electronic Signatures, Electronic Evidence, and Contract Drafting

2010-03-08T09:55:00.004-05:00

By Mehmet Munur

A District Court in New York recently decided a case where the perfect storm of messy contract drafting, which left a key term undefined and ambiguous, lack of proper evidence to prove the date of formation of the contract, and deficiencies in electronic signatures forced a life insurance provider to settle the case. While the court held that the electronic signatures used to sign the life insurance application survived summary judgment, the definition of the term Participant was vague and could not result in summary judgment for the insurance company. The case highlights the importance of precisely defining terms in a contract, building appropriate procedures for proving the existence of electronic contracts, and procedures for identifying the person electronically signing documents.

Neil Dukoff, an AICPA member, and Shari Dukoff, as his dependent, entered into a group life insurance contract with Prudential Insurance for Mrs. Dukoff using an electronic application in 2004. After Shari Dukoff passed away in May 2006, Prudential refused to honor the insurance contract arguing that the insurance contract was based on material misrepresentations in the application related to Mrs. Dukoff’s cancer surgery. Both sides moved for summary judgment, both motions were denied.

I. Prudential’s Arguments for Summary Judgment

Prudential made two arguments for summary judgment. First, it argued that there was no valid contract because Mr. Dukoff was not a party to the contract. Second, Prudential argued that the contract was procured through fraud and was, therefore, invalid. In both cases, Prudential could have helped resolved the issues by properly defining and using the words “Participant,” “Dependent,” “I,” and “My.”

A. Parties to the Contract

The court denied Prudential’s motion for summary judgment on the ground that Mr. Dukoff was not a party to the contract because there was enough doubt as to whether Mr. Dukoff or Mrs. Dukoff signed the contract. The court also found that the contract was ambiguous as to who was the intended party.

Prudential argued that there was no contract because Mrs. Dukoff was in the hospital recovering from surgery during the time she was to have signed the contract. Prudential offered as evidence a computer printout showing that the contract was submitted on May 15, 2004, the date on which both parties agree that Mrs. Dukoff was recovering from surgery in the hospital. However, Mr. Dukoff stated under oath that the contract was signed around March or April 2004. The court held that this printout was not sufficient to accurately show that the date reflected was the date of submission.

Needless to say, this is far too small a digital footprint for a contract that was formed online. Prudential could have built systems that logged applications submitted on its servers. In this log, Prudential could have recorded the time, location by IP address, unique cookie information, and other information related to the submission of the application and produced this evidence in trial. Prudential could have sent an automatic confirmation email to the email address of the applicant right after the submission of the application online. Finally, Prudential could have shown that a confirmation letter was sent several days after the submission with welcome letters and the signed contract. It is likely that Prudential had one or more of these processes in place. However, Prudential did not present any of more evidence than the printed contract with the date. Counsel for Prudential may have been more worried about the ambiguities in the contract than the proving the exact date of formation of the contract.

The court then turned to the language of the contract to address these ambiguities. In at least one section, “the applicant state[d] that ‘I’ authorize Prudential to access ‘my’ medical records to determine eligibility for insurance.” Considering that Mr. Dukoff did not need to provide his medical records, the court concluded that this language pointed to Mrs. Dukoff as the party to the contract. The certificate of coverage was of no use because it stated both names on it. Adding apparent authority and ratification issues to the mix, the court decided that there was a genuine issue of material fact as to who were the parties to the contract.

B. Procurement through Fraud

The court then turned to Prudential’s second argument for motion for summary judgment: fraud. However, the court did not need to address the admissibility of the evidence related to Mrs. Dukoff medical records and fraud. Once again, there was a genuine issue of material fact as to whether Prudential challenged the validity of the contract in the appropriate time.

Prudential contested the validity of the insurance policy after more than 2 years of its effective date. However, Prudential argued that the contract allowed it to contest its validity using Mrs. Dukoff’s statements 2 years after her death. The court found that the undefined term “Participant” made the language related to challenge within 2 years ambiguous. The contract and the certificate of insurance stated:

Incontestability of Dependents Life Insurance
This limits Prudential’s use of a Participant’s statements in contesting an amount of Dependents Life Insurance for which the Participant is insured with respect to a dependent. These are statements made to persuade Prudential to accept you for insurance.
They will be considered to be made to the best of your knowledge and belief. These rules apply to each statement:
(1) It will not be used in the contest unless:
(a) it is in a written instrument signed by the Participant; and
(b) A copy of that instrument is or has been furnished to the Participant or the Participant’s Beneficiary.
(2) If it relates to the dependents [sic] insurability, it will not be used to contest the validity of Dependents Life Insurance which has been in force, before the contest, for at least two years during the Participant’s lifetime.

The court held that the term Participant was not expressly defined and could refer to either Mr. Dukoff or Mrs. Dukoff. On the one hand, the terms “Participant Insurance” and “Dependent Insurance” appropriately and respectively referred to Mr. Dukoff and Mrs. Dukoff. On the other hand, the sentence above relating to “statements made to persuade Prudential accept you for insurance” suggested that Mrs. Dukoff was the Participant.

Most importantly, the last statement quoted from the contract above suggested that the Participant’s statements would not be used to contest validity of the Dependent’s life insurance for at least two years during the Participant’s lifetime. However, the lack of definition of the words “Dependent” and “Participant” resulted in ambiguity in deciding whose words could be used against whom. Therefore, the court returned to basic contract interpretation and sought extrinsic evidence, considered the New York statute where the language was supposed to have come from, and lacking additional evidence to the parties’ intent, rejected Prudential’s motion for summary judgment.

Such key terms should have been appropriately and clearly defined, especially if they were capitalized. Additionally, Prudential might have been better served by inserting the required language directly from the statute, which referred to “statements made by any person” instead of the complex Participant and Dependent scheme that Prudential created.

II. Mr. Dukoff’s Arguments for Summary Judgment

In its motion for summary judgment, Mr. Dukoff argued, among other things, that the statements related to Mrs. Dukoff’s health were not signed due to the failure of the electronic signatures scheme that Prudential used. The court held that particular information used in the application was sufficient to identify her as the person signing the application; therefore, Mr. Dukoff was not entitled to summary judgment on the issue.

The insurance contract prohibited the use of statements made by the insured that was not “in a written instrument signed by the [insured]” to contest the contract. Thus, Mr. Dukoff argued that Mrs. Dukoff did not sign her statements. In return, Prudential argued that the electronic signature on the application satisfied the NY Electronic Signatures and Records Act as well as the contractual requirement for written statement and signature. The New York law states that electronic signature “shall have the same validity and effect as a signature affixed by hand.” The law also defines electronic signature as “an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the document.” The court then turned to Prudential’s application process to determine whether it complied with NY law.

Prudential used a “standard” click through that included the following language at the end:

*I agree By submitting this form, I hereby request coverage under the CPA Spouse Life Insurance Plan. I have read the Conditions Applicable to This Subscription on this web site and agree to those statements and conditions. I also hereby subscribe to the AICPA Insurance Trust in accordance with Member’s Subscription and agree to the applicable conditions.

The applicants also had to enter home address and social security numbers. Prudential argued that this click-through agreement and the use of the identifiers satisfied the definition of electronic signature under NY law.

Not finding any case that invalidated a contract based on electronic signatures, the court turned to State of New York Insurance Department opinions. One particular Opinion stated that, generally speaking, a checked box on an electronic form on the Internet constitutes a valid electronic signature so long as it abides by the definition of electronic signature under the New York law. However, the opinion then added that such technology must be “capable of verifying that the person providing the electronic signature is actually the party to be charged. “ The Opinion further stated that “without such verification measure in place, the Department would not consider a checked box to be a valid signature.” Based on this Opinion, Mr. Dukoff argued that Prudential did not have the means to verify the identity of the person electronically signing the document.

The court deferred to the Opinion but it seemed puzzled by one finding. The NY legislature had removed a reference to a requirement for the electronic signature to include a unique identifier capable of verification from the law several years ago. More specifically, the NY law used to require a unique identifier “capable of verification, under the sole control of the person using it, attached to or associated with data in a manner that authenticates the attachment of the signature to particular data.” The court must have felt that the Opinion inserted back this unique identifier and verification requirement. Therefore, in its interpretation, the court changed the “actual identification” language of the Opinion to “reasonable identification” of the person. However, this being a motion for summary judgment, the court’s finding that “it is at least possible that Prudential satisfied this requirement” by using identifying information, such as address, social security number, and physical description, is excusable.

However, considering that the electronic signature in this case was supposed to be able to distinguish between a husband and a wife signing an application for a $500,000 life insurance, the click-through could not have satisfied the standard created by the Opinion. Under the circumstances, provision of the three pieces of information cannot actually identify the person signing the document. The technology supporting the electronic signature was required to identify the person signing the application to a higher degree of certainty than reasonable identification. Here, Prudential did not have the technology or the processes in place to ensure that Mrs. Dukoff and not Mr. Dukoff electronically signed the application. Considering the amount of money at stake, Prudential could have authenticated the signature by sending a password via text message to her cell-phone, via email to her email address, via mail to her home address, or using any other similar method. The first two methods would likely help distinguish between a husband and a wife signing a document under most circumstances. However, it is unlikely that any of these circumstances would help distinguish between the two when one of them is in the hospital recovering from surgery. This is probably one reason that other life insurance companies require applicants to sign their applications over the phone using a voice signature.

In sum, this perfect storm of electronic signatures that barely survived legal scrutiny, lack of evidence proving the date on which the contract was signed, and contract terms that were confusing even to the court to interpret resulted in Prudential having to settle the case shortly after it lost its motion for summary judgment. This case is just another reminder that companies must continue to pay attention to the fundamentals of contract drafting while at the same time paying particular attention to electronic signatures and electronic evidence relating to those contracts.

The case is Prudential Ins. Co. of Am. v. Dukoff, No: 2:07-cv-01080-ADS-MLO (E.D.N.Y. Dec. 18, 2009).

Court Upholds Forum Selection Clause in B2B Clickwrap

2010-01-14T17:07:00.000-05:00

By Mehmet Munur

A District Court in Indiana recently held that NexTag’s clickwrap Terms of Service was enforceable against Appliance Zone despite arguments by Appliance Zone that no contract was formed and that if an agreement were formed it was procedurally unconscionable. Ironically, NexTag was helped by the fact that Appliance Zone was an ecommerce merchant that used a similar sign-up process and similar website terms of use in its own business.

Appliance Zone advertises and distributes appliance parts and accessories through its commercial website. NexTag operates a commercial comparison website and advertises the goods of third parties such as Appliance Zone. NexTag refers customers to the third parties’ website where they can purchase the good and charges a few dimes for every referral.

When Appliance Zone found out that NexTag used Appliance Zone’s trademark to promote the prices of goods of Appliance Zone’s competitors, Appliance Zone brought a trademark infringement suit under the Lanham Act against NexTag in Indiana. NexTag, being a Delaware corporation based out of California, argued improper venue due to the forum selection clause in its Terms of Service Agreement, which every business must agree with before listing their products on NexTag. Thus, the court had to decide whether the forum selection clause in NexTag’s Terms of Service Agreement was enforceable.

Appliance Zone raised three arguments to state that the forum selection clause not applicable: 1) there was no agreement between the parties; 2) if there was an agreement, it was unconscionable; and 3) the lawsuit did not arise out of the agreement and thus it was not governed by the forum selection clause.

First, Appliance Zone argued that the employee that signed up with NexTag did not have the authority to enter into the contract. The court held that the employee had apparent authority to enter into the contract. The employee clicked the radio box next to the statement “I accept the NexTag Terms of Service,” uploaded 20,000 product descriptions and 14,000 product images onto NexTag’s website, and Appliance Zone paid for NexTag’s services. Therefore, the conduct demonstrated acceptance of a valid contract.

Second, Appliance Zone argued that the Terms of Service Agreement was unconscionable because 1) it was inconspicuous, 2) parties had unequal bargaining power, and 3) Appliance Zone did not read it. The court rejected each of these arguments. The court held that the presentation of the Terms of Service Agreement was typical for the online retail industry, that it was clearly labeled, and that it was placed in a highly visible portion of the web page. Appliance Zone also had to check a box to manifest assent to the Agreement. The court also cited Appliance Zone’s similar sign-up process and similar language in its Terms of Use against Appliance Zone to state that NexTag’s Terms of Service Agreement was not procedurally or substantively unfair. The court also stated that Appliance Zone had failed to demonstrate the disparity in the bargaining power and that Appliance Zone would be presumed to have read the terms and agreed to them when it signed them as a matter of fundamental contract principle.

Finally, the court addressed Appliance Zone’s argument that the trademark issue did not arise out of the Terms of Service Agreement. The court held that the binding precedent required that the Agreement govern the dispute between the parties—Appliance Zone had cited to persuasive 2nd Circuit Precedent.

This case highlights how electronic Business-to-Business agreements are more difficult to overturn than electronic Business-to-Consumer agreements. Plaintiff’s arguments related to not having read the agreement, uneven bargaining positions, and unconscionability are mostly arguments raised in Business-to-Consumer settings. However, such arguments are unlikely to work in cases where the party arguing against the enforceability of the contracts employs a similar contract in a similar settings.

The case is Appliance Zone, LLC v. NexTag Inc., No:4-09-cv-0089-SEB-WGH (S.D. In. Dec. 22, 2009).

Article 29 Working Party Releases 12th Annual Report

2010-01-12T17:57:00.003-05:00

By Mehmet Munur

The Article 29 Working Party, a group created under the EU Data Protection Directive and made up of the data protection regulators of each Member State to provide guidance on data protection and privacy issues, has released its 12th Annual Report. The Chairman, Alex Turk, states that the four main issues of the year were protection of children’s personal data, search engines and the large of amounts of data they gather, international transfer of personal data with emphasis on the use of Binding Corporate Rules, and air passenger name records. Overall, Enforcement by the DPAs appears to have increased compared to the previous year.

The report serves as a summary of all EU DPAs’ reports on the implementation of the EU Data Protection Directive, the E-Privacy Directive, major case law, and major specific issues. The following are some of the interesting tidbits from the Annual Report.

The Austrian DPA found that a whistle-blower hotline of a US multinational required that the Austrian subsidiary be considered a data controller. The Austrian DPA held that data transfers by the employees would be imputed to the employer because the employer’s Code of Conduct required its employees to report illegal or unethical activity.

The Danish DPA highlighted the case of a nightclub that wanted to create an electronic access control system that used fingerprints, photos, and black lists of unwanted customers who would be rejected at the door. The DPA allowed the database so long as customers gave explicit consent and data was deleted after consent was withdrawn.

The French DPA, CNIL, stated that it had been in session 50 times and adopted 586 resolutions during the year, an increase of 50% compared to previous year. CNIL also handled 4,244 complaints during the year. It conducted 218 inspections, “an increase of 33 % compared to the previous year.” The DPA imposed fines ranging between $30,000 to $100. CNIL also issued 126 warnings, an increase of 20% compared to the previous year.

The Dutch DPA greatly increased its enforcement activity compared to the previous years. It carried out 95 investigations, an increase of 50% compared to the previous year, and imposed sanctions or threatened to impose sanctions on 68 cases, compared to 39 in the previous year and 2 the year before.

The Spanish DPA, AEPD, was just as active as it was in the previous year. The DPA did not disclose how much money it collected in fines; however, it reported a sharp increase in reported offences. AEPD continued to focus on telecommunications, financial institutions, and video surveillance issues during its investigations. In fact, the financial sector and the telecommunications sector made up the top two spots for fines imposed during the year. The Spanish DPA has also been increasing its activities in the international arena. In addition, AEPD is taking larger leadership role in the Ibero-American Network for Data Protection. During the 31st International Data and Privacy Protection Conference, AEPD made a “Joint Proposal to Draft International Standards for Protection of Privacy and Personal Data” that was unanimously adopted. AEPD is now in charge of developing international standards for the protection of privacy with regard to processing of personal information.

You may read our blog post on the previous year’s report here.

Article 29 Working Party Adopts Documents, Deems Israel and Andorra Adequate

2010-01-06T16:25:00.003-05:00

The Article 29 Working Party started the new year with a volley of announcements. The Working Party document WP 165 states that Israel guarantees an adequate level of protection and WP 166 states that Andorra has adequate privacy protections. Additionally, the Working Party issued WP168 on “The Future of Privacy: Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data.”

WP168 is a response to the Consultation by the European Commission asking for views on whether the EU’s current legal framework was satisfactory for the challenges posed by new technology and shifts in culture since the adoption of the EU Data Protection Directive in 1995. The Working Party, with the cooperation of the Working Party on Police and Justice, state that “the main principles of data protection are still valid despite the new technologies and globalisation.” However, the consultation also proposes that concepts of consent and transparency be clarified, additional principles such as privacy by design and accountability be adopted, bureaucratic burdens be simplified, and that fundamental rights be unified to apply to police and judicial cooperation in criminal matters. This document suggest the direction that European Data Protection is likely to take in the near future.

Florida Ethics Opinion Underscores Risks Associated with Social Media for Attorneys

2009-12-21T10:46:00.008-05:00

by Mehmet Munur

Florida Judicial Ethics Advisory Committee recently issued an opinion that answered the question “Whether a judge may add lawyers who may appear before the judge as ‘friends’ on a social networking site, and permit such lawyers to add the judge as their friend” in the negative. Though social media can be a valuable tool for any profession, the opinion emphasizes why attorneys should consider the risks involved in contributing to social media. While not mentioned in the opinion, attorneys should also consider other risks associated with listing specialties, receiving client testimonials, and unintentionally forming attorney-client relationships.

Commentators, such as Professor Stephen Gillers (see NY Times Article) have argued that the judges may be oversensitive to judges “friending” attorneys in Facebook, I believe that the opinion is just the beginning in a series of opinion that are likely to highlight related issues that may come up in social media. Before joining LinkedIn, we considered the Ohio Supreme Court’s guidance on some of the issues mentioned above. First, we considered whether we could join such an organization in the first place and be listed as attorneys. Ohio Supreme Court Opinion 88-4, though superseded by the Ohio Rule of Professional Conduct 7.4, stated:

A lawyer may ethically be listed in a legal directory or law list provided the listing does not contain a false, fraudulent, misleading, or deceptive statement or claim.

This opinion probably refers to MartinDale Hubbell listings, which are dominated by attorneys. While LinkedIn is professional in nature, attorneys in no way dominate it. I remember seeing that LinkedIn included about 700,000 attorneys (apologies for the lack of citation) out of their 50 million professionals. Nevertheless, the Ohio Supreme Court opinion highlights issues involved in joining such social media outlets in the first place. Therefore, attorneys must ensure that their listings in any social media do not contain false, fraudulent, misleading, or deceptive statements.

Issues related to attorneys’ specialties may also arise on social networks. The Supreme Court of Ohio only recognizes a few areas of specialization, such as admiralty, trademark, and patent law. Therefore, avoid listing specialties unless you are actually specialized under Rule 7.4. LinkedIn includes a "specialties" section by default field in profiles, which if overlooked, may inadvertently describe an attorney to have specialized in those areas. Therefore, double-check your profile to ensure that you have accurately listed your specialization.

Another cause for concern is client testimonials. While the prohibition against client testimonials have been superseded, Model Rule 7.1 states that a “lawyer shall not make or use a false, misleading, or nonverifiable communication about the lawyer or the lawyer’s services.” Note that the Model Rule, which came into effect in 2007, “does retain the DR 2-101 prohibition on unverifiable claims.” Therefore, “[w]hatever means are used to make known a lawyer’s services, statements about them must be truthful.” The Ohio Supreme Court Opinion 2000-6 further states that:

a law firm’s public communication of client quotations describing the general nature of the legal services provided, responsiveness of the law firm, and other non-substantive aspects of the firm’s representation is improper under the professional rules of conduct. This view is based on the current rules in the Ohio Code of Professional Responsibility and is consistent with ABA Model Rule 7.1, the Comment thereto, and the advice offered by the Board in Opinion 89-24.

Therefore, it may be a good idea to ensure that client testimonials are verifiable to an objective degree or avoid client testimonials altogether.

While the Model Rules are silent on the issue of the formation of an attorney-client relationship, the Restatement Third of the Law Governing Lawyers section 14 provides that:

A relationship of client and lawyer arises when:
(1) a person manifests to a lawyer the person's intent that the lawyer provide legal services for the person; and ...
(b) the lawyer fails to manifest lack of consent to do so, and the lawyer knows or reasonably should know that the person reasonably relies on the lawyer to provide the services

Such an issue may arise while answering LinkedIn questions or a direct inquiry by another Facebook or LinkedIn member. Inadvertent formation of an attorney-client relationship bring with it all of the conflicts issues that an attorney should consider before representing a client.

Therefore, attorneys should double-check their jurisdictions’ ethics guidance to ensure that they are not running afoul of ethical rules that have been in at work for some time but may arise in ways not previously imagined.

See also Legal Blog Watch regarding a related South Carolina opinion regarding law enforcement officials and judges.

You can also find a link to the ABA Model Rules here.

Court Rejects Plaintiff’s Argument that Overbroad Privacy Policy Led to Waiver of 1st Amendment Rights

2009-12-15T17:36:00.007-05:00

By Mehmet Munur

A federal district court in Missouri ruled on December 9 that the broad website privacy policy of a newspaper did not lead to an anonymous commenter’s contractual waiver of his First Amendment rights. While the case does not break new ground in First Amendment jurisprudence, it emphasizes some of the shortcomings of the self-regulatory system of privacy regulation of the web in the US. Such overbroad privacy policies and underlying practices may be one reason why the FTC is shying away from the Notice-Choice paradigm.

The plaintiff brought a motion to compel in order to reveal the identity of an anonymous commenter, who was not a party to the litigation, for comments posted on a News-Leader article. First, the Plaintiff argued that the anonymous commenter’s speech was not given absolute protection. While the court agreed, it stated that political speech was given high level of protection especially in circumstances where the commenter was not a party to the litigation and dismissed the argument.

Second, the plaintiff argued that the anonymous commenter agreed to the News-Leader’s Privacy Policy during the sign-up process and, therefore, waived his First Amendment rights to anonymous speech. The Privacy Policy stated:

We also reserve the right to use, and to disclose to third parties, all of the information collected from and about you while you are using the Site in any way and for any purpose, such as to enable us or a third party to provide you with information about products and services that may be of interest to you. In some cases we will use and/or share only non-personally identifiable information, but in other cases we may use and share personally identifiable information.

The District Court rejected this argument as well because “a contractual waiver of constitutional rights ‘must, at the very least, be clear.’” Therefore, the District Court declined to reveal the identity of the anonymous poster.

Leaving aside the free speech issues, the case also highlights some of the issues with the current state of privacy regulation on the web in the US. First, FTC’s aspirational Fair Information Practice Principles seek to stop such overreaching privacy policies. The Notice principle, which is “the most fundamental” of the principles, states that the entity collecting the data should “properly inform” consumers “of the uses to which the data will be put” and the “identification any potential recipients of the data.” Therefore, stating that the data transferred to any third party for any purpose does not properly inform a consumer. Nevertheless, this inconsistency does not create any liability because the FIPPs are only guidelines and they are not enforceable. FTC expects the industry participants to regulate themselves and only appears to bring enforcement actions against the most egregious of violators.

In contrast, websites in jurisdictions with omnibus data protections laws, such as the EU, would be hard pressed to implement such privacy policies. The EU Data Protection Directive states in Article 6 that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Since the purposes in the privacy policy are neither specified nor explicit, any further use by the collecting entity or a third party would violate the Directive and its national counterparts.

However, this difference in approaches to privacy regulation may be changing. Commentators and regulators in the EU and the US recognize the shortcomings of the Notice-Choice paradigm and are moving away from it. Recently, in the Madrid International Conference of Data Protection and Privacy Commissioners highlighted some of the issues with Notice-Choice and the need to move towards an Accountability standard. In fact, the regulators signed a document to that effect during the conference. Two weeks later, the Department of Commerce Conference on Cross Border Data Flows, Data Protection and Privacy reiterated the same message—primarily because the attendees were the same people. Finally, just last Monday, several attendees to the FTC Privacy Roundtable highlighted the issues with self-regulation in the US and the need to move to an Accountability standard. In fact, the FTC hinted at the need to refine the current Notice-Choice paradigm with the Sears enforcement action. Given the regulatory momentum, we will likely see the FTC providing more guidance for websites on privacy issues soon after the Privacy Roundtables, at the very least in the behavioral advertising realm.

The case is Sedersten v. Taylor, No. 09-3031-CV-S-GAF, 2009 U.S. Dist LEXIS 114525 (W.D. Mo. Dec. 9, 2009).

See also Venkat Balasubramani’s comments via Eric Goldman’s Blog.

Supreme Court to Review Electronic Communications Case

2009-12-14T16:44:00.004-05:00

by Mehmet Munur

The Supreme Court will review a 9th Circuit Court case finding that the unauthorized search of employee text messages on an employer provided text messaging pager may have violated the employee’s privacy rights despite a written policy stating that the employees should have no expectation of privacy.

Once again, the Supreme Court’s review of the case highlights the complexity of employee electronic communications in the workplace. With the extensive use of blogging and social media in the workplace, it is becoming more and more important to put in place explicit electronic communication policies and to implement those policies uniformly. You can find our previous blog post on the 9th Circuit Opinion here.

Regulators Issue Final Model Privacy Notice

2009-11-23T20:15:00.018-05:00

By Mehmet Munur

On November 17, eight federal regulators issued final rules and model privacy notice forms as required under the Gramm-Leach-Bliley Act. While the use of the notice forms are not required, the two-page forms create a safe-harbor for disclosures required under the GLBA.

The notice forms replace the Sample Clauses previously issued by the regulators. The regulators stated that their studies “confirm[ed] that a notice composed solely of the Sample Clauses promotes ease of scanning to perform simple tasks – because the notice is short and not because it is understandable – but the Sample Clauses do not do well on comprehension measures. Moreover, the testing showed that current notices – in which the Sample Clauses are typically embedded – do poorly on all measures.” Therefore, the regulators appear to want to increase the use of the model clauses as much as possible.

The FTC has been pushing for alternate means of providing notice to individuals for some time. The FTC noted in its February 2009 Behavioral Advertising Staff Report that “privacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.” Then in its recent Sears Enforcement, FTC stated that Sears failed to “disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers’ computers.” Sears had mentioned the broad nature of data collection only in the 75^th line of a legal agreement. Then in August, FTC once again mentioned the Sears enforcement and the need to provide better notice in the Health Breach Notification Rule; stating “[b]uried disclosures in lengthy privacy policies do not satisfy the standard of ‘meaningful choice.’” FTC will be conducting Privacy Roundtables in the near future. We expect the highlights notices, model privacy notices, and Carnegie Mellon’s Nutrition Label Approach to privacy statements to take center stage in these roundtables.

FTC Delays Enforcement of Red Flags Rule, Court Holds Red Flags Do Not Apply to Lawyers

2009-10-30T18:35:00.003-04:00

by Mehmet Munur

The FTC news release notes that the Federal Trade Commission delayed the enforcement of the Red Flags rules until June 1, 2010. The FTC news release also notes the decision by the U.S. District Court for the District of Columbia that the FTC Red Flags Rules did not apply to attorneys. The Federal Trade Commission v. American Bar Association order states that the memorandum will be published in the next thirty days.

The FTC promulgated the Red Flags Rules under the authority given to it by the Fair and Accurate Credit Transactions Act. FTC had previously suspended the enforcement of the rules until November 1, 2009. Congress is currently considering a bill that would limit the scope of the Red Flags Rules.

FTC Modifies ChoicePoint Consent Order and Imposes Stricter Compliance

2009-10-19T12:34:00.003-04:00

By Mehmet Munur

The Federal Trade Commission announced today that it had entered into a modified consent agreement with ChoicePoint due to ChoicePoint’s inability to live up to the original consent agreement entered into in 2006.

The FTC entered into a consent agreement with ChoicePoint was due to compromise of 163,000 financial records and at least 800 cases of identity theft. The breach was possibly a watershed moment in data breaches and brought attention to data aggregators. ChoicePoint paid $10 million in civil fines, $5 million in consumer redress, and countless millions of dollars in forwent business opportunities, attorneys’ fees, and settlement fees for lawsuits. ChoicePoint also agreed to “establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers” which would be subject to an audit every two years.

The FTC press release for the most recent consent order notes that ChoicePoint “turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off.” As a result, ChoicePoint, since acquired by Reed Elsevier, compromised the personal information of approximately 13,750 individuals. ChoicePoint must now pay a fine of $275,000 and report to the FTC every two months for two years. The FTC also increased the final data by which ChoicePoint would be subject to biennial audits by two years to 2028. The new consent order may be found here.

The FTC enforcement reiterates FTC's attitudes about privacy promises. Such scrutiny by the FTC will certainly be burdensome for ChoicePoint and require it to step up its information security operation or face even more fines and enforcement from the FTC.

FTC Settles with Six Companies with Lapsed Safe Harbor Certifications

2009-10-07T15:51:00.003-04:00

By Mehmet Munur

On October 6, 2009, Federal Trade Commission filed six complaints against companies falsely claiming that they were self-certified to the Department of Commerce EU Safe Harbor when their certification had lapsed. This FTC action should serve as a reminder to Safe Harborites either to keep up their annual recertification or to avoid misrepresenting that they are self-certified to the Safe Harbor.

The EU Safe Harbor is one of the methods allowing US corporations to export data from the EU while complying with the Article 25 of the EU data Protection Directive, which requires that data only be transferred to countries with adequate data protections—with exceptions. The Department of Commerce, European Commission, and the Article 29 Working Party negotiated the Safe Harbor. US companies self-certify for the Safe Harbor and the DoC maintains a list of these companies on its export.gov website. However, the Federal Trade Commission and the Department of Transportation have the authority to enforce the Safe Harbor. While the Safe Harbor plays a crucial role for multinational corporations in transferring personal data from the EU without violating the EU Data Protection Directive’s adequacy requirements, now more than ever, failure to abide by the Safe Harbor requirements can result in enforcement actions by the FTC.

Six companies, World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive GaitWays LLC, each represented that they were self-certified to the Safe Harbor when in fact their certification had not been renewed for several years. At least three of the companies had failed to either recertify or remove their representations related to their certification from their websites for two to three years. For example, ExpatEdge had certified for the Safe Harbor in 2002 but had failed to recertify since 2006. Onyx Graphics had certified in 2006 but failed to recertify since 2007. Progressive GaitWays had certified in 2004 but failed to recertify since 2006. Since the FTC enforcement, the remaining three companies have recertified for the Safe Harbor.

The six companies each entered into consent agreements with the FTC related to their infringing activities. The consent agreements are similar to the previous FTC settlement on the Safe Harbor. The consent agreements prohibit any of the companies from “misrepresent[ing] in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.” Furthermore, the companies must make all documents related to compliance with the consent agreement available for inspection for the next 5 years.

In our previous blog post, we had stated that the FTC’s enforcement was tacked onto other issues related shipment of goods. This time the FTC has squarely addressed Safe Harbor violations using its deceptive trade practices powers. According to the FTC policy statement on deception, a material representation, omission, or practice that is likely to mislead the consumer is needed for any enforcement activity. Any “act or practice is likely to affect the consumer's conduct or decision with regard to a product or service” is considered material. Additionally, any express claims are presumed material. Furthermore, the Safe Harbor Principles and FAQ 11 of the Safe Harbor clearly state FTC’s jurisdiction to bring actions against Safe Harborites for deceptive trade practices. Therefore, the companies’ express claims that they were self-certified with the Safe Harbor when their certifications had expired are clearly material misrepresentations that would mislead a reasonable consumer under the circumstances.

The recent enforcement actions in this area are certainly signs of FTC’s willingness to bring enforcement actions in this area in the future. The recent changes to the list showing organizations certified to the Safe Harbor is possibly another indication of things to come. International Trade Administration website used to host the Safe Harbor list. Recently, it has moved to the Department of Commerce’s export.gov/safeharbor/ website, which is where all other Safe Harbor related documents used to reside. The list now more readily identifies non-compliant companies.

The FTC is likely to bring more enforcement actions against companies in the Safe Harbor list that represent that they are certified but have not in fact kept up their certifications with the Department of Commerce. The FTC is also likely to expand its enforcement activities into more substantive issues related to the privacy practices of Safe Harborites in the near future. Therefore, Safe Harborites intending to leave the Safe Harbor should either promptly renew their certifications or remove any public representation that they are certified with the Safe Harbor. This should help alleviate any FTC deceptive trade practices claims. However, note that obligations undertaken by a Safe Harborite do not disappear with the organization leaving the Safe Harbor. Therefore, removing such representations only resolves part of the issues involved in joining then leaving the Safe Harbor.

FTC Obtains TRO Against E-Commerce Merchant Falsely Claiming Safe Harbor Certification

2009-08-24T15:34:00.004-04:00

By Mehmet Munur

On July 31, the Federal Trade Commission obtained a temporary restraining order against a California website for deceptively claiming to be a member of the EU Safe Harbor administered by the Department of Commerce. This is the first FTC enforcement involving the FTC’s authority to prosecute violations involving EU Safe Harbor and FTC’s authority to prosecute an American company for deception of foreign consumers.

According to the FTC complaint, the defendants posed as UK websites, did not deliver on minimal consumer protections, and lied about being in the Safe Harbor. Balls of Kryptonite, LLC, is based out of Pasadena, California. However, it operates under www.bestpricedbrands.co.uk and www.bitesizedeals.co.uk, states prices in pound sterling, and referred to UK competitors and Royal Mail. The website did not specifically state its location, though such a disclosure is required under the Distance Selling Directive. Therefore, the FTC inferred that the websites advertised and sold consumer electronics products to consumers in the UK “under the pretext of being located within the UK.”

The websites shipped products from the US to the UK. Customers also had to pay substantial customs duties and import taxes. Some of these products were incompatible with the UK power grid. The websites also stated that the products would be covered under warranty. The products were not designed for distribution in the UK and, therefore, were not covered by warranty. Further, consumers were not allowed to cancel their orders, charged 50% restocking fees, and items were not shipped for weeks.

Finally, the defendants advertised that they self-certified with the Department of Commerce for the EU Safe Harbor when they were not. However, this false statement defies all logic. It does not help the defendants establish that they are a website based in the UK. A corporation must have a US establishment that receives personal information from the EU/EEA before it can certify to the Safe Harbor. Maybe this was the company’s way of stating that it was transferring data to the US. Maybe, the website owner believed that the Safe Harbor deception would make their website more attractive to UK customers. Nonetheless, Balls of Kryptonite is likely subject to this enforcement not due to inadequate legal advice, but lack of legal advice.

Nevertheless, the temporary restraining order resulting from the enforcement action makes an interesting example due to its scope. The TRO enjoins the defendants from misrepresenting “[t]he extent to which Defendants are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.” Thus, the FTC enjoined the defendants from misrepresenting that they are members of any third-party privacy program. In effect, the FTC is recognizing that the health of the Safe Harbor Program is intricately linked to the third-party programs. The Safe Harbor Enforcement Principle requires an independent dispute resolution mechanism that TRUSTe’s EU Safe Harbor Program and BBB EU Safe Harbor offer. However, one could argue that third-party privacy seals programs should enforce their own marks and that the FTC should focus on the Safe Harbor program exclusively.

The enforcement action sets a much-needed precedent for false claims related to the Safe Harbor program. Nevertheless, the majority of the complaint was based on false statements concerning the shipment of goods. The Safe Harbor issue appears to be tacked onto the other issues. The Safe Harbor program has been in existence for nearly a decade and studies by the European Commission in 2004 and others in 2008 have argued that enforcement has been lax. One would hope that, in the future, the FTC would bring section five claims exclusively in the data protection realm in addition to mixed consumer protection claims.

FTC Issues Final Breach Notification Rules as Required by the Stimulus Bill

2009-08-19T15:44:00.004-04:00

By Mehmet Munur

On August 18, Federal Trade Commission issued the final rules on breach notification as required by the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. The rules will take effect in 30 days from publication in the Federal Register. The FTC will only begin enforcement after 180 days of the publication of the final rules.

The final rules addressed the public comments to the proposed rules, clarified certain issues such as the broad scope of the rules, the application of either the HHS or FTC breach notification rules, notifying individuals by email, notifying the FTC for breaches involving more than 500 individuals, and privacy notices.

FTC received 129 comments related to its notice of proposed rulemaking. Google (see our previous blog post on Google Health) was noticeably absent from the list, while Microsoft (see our previous blog post on HealthVault) commented on several issues including email notices and use of cloud computing storage. Microsoft’s concerns related to cloud computing prompted FTC to require that vendors of PHR and PHR related entities notify their third party service providers of their status as vendors of PHR.

The FTC adopted the definition of personal health record without modification. Under the proposed rules, breach of name and credit card numbers would have triggered a notification. The FTC backed away from that interpretation and now states that name and credit card numbers alone will not constitute personal health record. On the other hand, FTC renewed its statement that de-identified data would not be considered personal health record “[g]iven the small risk that such data will be re-identified by unauthorized third parties.” Such references show FTC’s renewed interest in the identification of individuals using non-personally identifiable information. FTC had previously mentioned the issue in February in the Behavioral Advertising Staff Report.

The FTC confirmed the wide scope of the new breach notification rules. The proposed rule applies to vendors of PHR and PHR related entities “irrespective of any jurisdictional tests in the Federal Trade Commission Act.” Therefore, even if an entity is not covered by the FTC Act, it may fall under the scope of the breach notification. Additionally, the Commission reiterated that “foreign entities with U.S. customers must provide breach notification under U.S. laws.” Similar to the EU Data Protection Directive, the rules appear to apply to the individual’s data regardless of the data’s location.

The FTC agreed with some of the commentators to the proposed rules that some entities would be covered by both the FTC and the HHS rules. Therefore, the FTC “consulted with HHS to harmonize the two rules, within the constraints of the statutory language.” A related issue concerned the provision of a single breach notification for a single breach, though several entities may be involved. The FTC addresses this issue by providing examples of when entities may comply with both the FTC and the HHS requirements to provide notice.

The final rules also addressed privacy notices and, with it, FTC’s recent incursion into privacy enforcement and behavioral advertising. FTC addressed privacy notices because the “final rule provides that a breach of security means acquisition of information without the authorization of the individual.” FTC stated that “an entity’s use of information to enhance individuals’ experience with their PHR would be within the scope of the individuals’ authorization, as long as such use is consistent with the entity’s disclosures and individuals’ reasonable expectations.” The FTC reiterated its suspicion of lengthy privacy notices, which it originally voiced in the Behavioral Advertising Staff Report, by stating that “the Commission expects that vendors of personal health records and PHR related entities would limit the sharing of consumers’ information, unless the consumers exercise meaningful choice in consenting to such sharing. Buried disclosures in lengthy privacy policies do not satisfy the standard of “meaningful choice.”” The FTC cited to the recent Sears enforcement to reinforce its seriousness in enforcing the meaningful choice doctrine. There, Sears had buried its data mining activities deep in its privacy policy instead of providing clear and conspicuous notice of the broad scope of its activities. This could be an indication that the FTC may consider data processing without adequate notice as a data breach.

The final rules now make it easier to provide individual notice through email as well. The FTC is persuaded that the relationship between the vendors of PHR, PHR related entities, and consumers take place online, email notice can be used as a default option. Individual’s express affirmative consent to notify by email is no longer necessary. Nevertheless, the consumers must still have a meaningful choice not to receive notice by email. Additionally, the FTC made it clear that no confirmation is required for the receipt of emails, only “reasonable efforts to contact all individuals” is required. EPIC advocated for social media breach notification. The FTC declined to adopt such measure, but stated that the rule did not preclude other forms of notice in addition to the required forms. We are looking forward to public reactions to the first social media breach notification on Twitter, Facebook, or LinkedIn.

Web postings related to breaches on entities’ websites now need not be maintained for 6 months. The FTC shortened the public posting on websites to 90 days. With respect to notifying the FTC of breaches for breaches involving more than 500 people, the FTC increased the time to provide notice to FTC to 10 business days from 5. In addition, entities may use the form created by the FTC to notify the FTC about breaches. Email notification of the FTC is not an option at this time due to security concerns.

While the effective date of the rules were set by the Stimulus Bill and cannot be changed, the FTC stated that it will “will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered” 180 after the publication of the final rules. The HHS should shortly follow with its final rules on the Stimulus Bill.

Federal Authorities Prosecuting Suspects of Heartland and Hannaford Breaches

2009-08-17T18:13:00.002-04:00

By Mehmet Munur

US Department of Justice reports that federal authorities are prosecuting three suspects for stealing 130 million credit card numbers from Heartland Payment systems, 7-eleven stores, and Hannaford stores. We previously reported on the Heartland Payment Systems Breach and the Hannaford Stores Breach.

The indictment details how Albert Gonzalez and his co-conspirators allegedly “used sophisticated hacker techniques [SQL injection attacks] to gain access to the networks to cover their tracks and to avoid detection by anti-virus software used by their victims.” The suspects allegedly scouted the stores of the corporate victims and their websites for vulnerabilities. Allegedly, in order to cover their tracks, the suspects “program[ed] malware to be placed on the Corporate Victims’ computer networks to evade detection by anti-virus software and then testing the malware against approximately 20 different antivirus programs.”

The breach cost Heartland not just million of dollars but also temporary loss of its PCI certification. Soon after the Heartland Payment systems breach, Heartland lost its PCI certification as reported by VISA CISP. Since then, Heartland has regained its PCI but also disclosed in its 10-Q filing with the Securities and Exchange Commission that it faced $32 million in expenses due to the breach. $22 million of those charges related to fines imposed by card brands and settlement offers, while the remaining amounts were spent on “legal fees and costs the Company incurred for investigations, remedial actions, and crisis management services.”

Shortly after the Heartland breach, in July 2009, PCI Security Standards Council issued the Wireless Guideline, which makes specific recommendation related to the deployment of wireless networks. The recommendations are sometimes as detailed as setting up firewalls, accounting for wireless access points, changing default passwords and settings on wireless devices, and using strong wireless authentication and encryption. On the other hand, despite outlining the weaknesses in WEP, PCI DSS v1.2 only requires discontinuing WEP as of June 30, 2010. Unfortunately, use of WPA or WPA2 only remains a recommendation.

In our previous review of the breaches, we had suggested that “due to the fast evolution of malware, a vulnerability is likely to develop within any system at some point.” Considering that the suspects used custom written malware that was tested to avoid detection by anti-virus software, Heartland could have only protected itself from the attack by preventing the SQL injections in the first place. While complete security remains a difficult objective to attain, we still believe that a vigorous and comprehensive approach to data security is possibly the only defense against such breaches.

Amending Website Terms of Use Requires Care

2009-08-05T12:21:00.008-04:00

By Mehmet Munur

Recent case law examining website terms of use highlights the importance of drafting qualified change of terms provisions for online agreements, proposing reasonable unilateral amendments, providing adequate notice, and keeping track of differing versions of online agreements and assents to such agreements.

Security & Privacy Update Summer 2009.pdf

Sears Settles with FTC on Information Tracking

2009-07-26T15:30:00.008-04:00

By Mehmet Munur

FTC entered into a settlement agreement with Sears in June related to its failure to provide adequate notice to its customers during the sign up process for an information collection software. This settlement highlights the need to create accurate highlight notices for privacy policies.

Sears invited customers visiting the Sears.com website and kmart.com websites to join the My SHC Community. Sears paid the customers $10 to sign up to participate in the community. Customers downloaded and installed a “research” software for participating in the community after being presented with the privacy policy and a license agreement.

Sears mentioned on its marketing material that the software would confidentially track online browsing. However, the FTC charged that the software allowed Sears to monitor consumer’s online sessions including shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. FTC appears to be concerned that Sears’ “Privacy Statement and User License Agreement” did not discuss the full scale of the data mining until the 75th line of the agreement. The agreement stated:

Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information.

Therefore, the FTC argued, burying the scope of this information collection activity in the 75th line of legal agreement did not adequately disclose the fact that the consumer was allowing the tracking for all of his internet activity. This, the FTC concluded, was a deceptive practice under section 5 of the FTC act.

In hindsight, Sears probably did not need all of the data that it gather in the first place. The competitive advantage that Sears may gain in collecting and processing such sensitive financial and health data is likely to be outweighed by the disadvantages in maintaining the confidentiality of such sensitive information and the public relations problems that follow its disclosure. Even if Sears could in fact use this data, installation of software that practically works like a commercial key logger likely requires specific and unambiguous consent.

In light of the Sears settlement, corporations should consider building several layers of privacy policies. Article 29 Working Party and the UK ICO have proposed simplifying privacy policies to provide better notice to data subjects. Such a scheme would require that corporations build and use highlights notices that provide a summary of privacy notices that then provides links to the full privacy policy.

In fact, some corporations, such as Google and Microsoft, have started using the A29WP approach in their privacy policies. Note that the users would still be bound to the full privacy policy with such an approach. Therefore, this highlights notice makes privacy policies easy to understand for consumers while maintaining the detailed approach of a privacy policy. Possibly, Sears could have used such a privacy policy on its website and more accurately described its information collection.

District Court Holds Blockbuster Arbitration Provision Unenforceable

2009-05-16T15:42:00.004-04:00

By Mehmet Munur

A District Court in Texas recently held Blockbuster’s website terms and conditions arbitration provision illusory and therefore unenforceable due to Blockbuster’s right to unilaterally modify it. The District Court cited to established Texas precedent to argue that nothing in the website terms prevented the arbitration provision's retroactive application.

The plaintiff sued blockbuster in connection with the controversial Facebook beacon program and its integration with Blockbuster as a violation of “the Video Privacy Protection Act, 18 U.S.C. § 2710, which prohibits a videotape service provider from disclosing personally identifiable information about a customer unless given informed, written consent at the time the disclosure is sought.” The plaintiffs argued and the court held that the arbitration provision was illusory and therefore unenforceable.

The district court analyzed the Blockbuster Terms and Conditions under Texas law. The terms and conditions state:

Blockbuster may at any time, and at its sole discretion, modify these Terms and Conditions of Use, including without limitation the Privacy Policy, with or without notice. Such modifications will be effective immediately upon posting. You agree to review these Terms and Conditions of Use periodically and your continued use of this Site following such modifications will indicate your acceptance of these modified Terms and Conditions of Use. If you do not agree to any modification of these Terms and Conditions of Use, you must immediately stop using this Site.

In finding this run-of-the-mill terms of use provision illusory, the court relied not on another business-to-consumer case, but Fifth Circuit case analyzing business-to-business agreements.

More specifically, the District court relied on Morrison v. Amway where the distributors signed Amway’s standard distributorship agreement. Facing disputes relating to the calculation of profits, Amway instituted an arbitration provision and published it in its magazine as well as other media sent to the distributors. Amway required that the distributors sign an acknowledgement form and send it back to Amway. Though all distributors renewed their agreements with Amway, two different groups sued Amway in federal as well as state court, both of which were stayed pending litigation. The arbitrator issued judgments and awards without opinions and the district court confirmed these opinions. The parties appealed their case to the Circuit Court.

The Circuit Court examined Amway’s arbitration policy to determine whether it was a valid agreement to arbitrate under Texas law. While the distributors had agreed to conduct their business according to Amway’s Code of Ethics, which would be amended from time to time, “the only express limitation on that unilateral right [was] published notice.” The Circuit Court was concerned that this unqualified right to amend the arbitration policy might apply to disputes arising before as well as after its publication. The Circuit Court held that this unqualified right to modify the Code of Ethics was unenforceable.

The Circuit Court relied on two Texas Supreme Court decisions. In one case, Texas Supreme Court had concluded that application of the arbitration policy 10 days after reasonable notice would be enforceable. In another case, however, the Texas Supreme Court plainly stated that “if the defendant-employer retained the right to ‘unilaterally abolish or modify’ the arbitration program, then the agreement to arbitrate was illusory and not binding on the plaintiff-employee.”

The District Court, relying on Morrison v. Amway and the underlying Texas precedent, concluded that the Blockbuster arbitration provision was illusory. Based on this web of Texas Supreme Court, Circuit Court, and District Court opinions, companies using arbitration policies—either in human resources policies, supplier agreements, or website terms of use—should qualify them. Such qualification should include at least a 10 day delayed application period and an explicit statement that makes the arbitration provisions applicable only to disputes arising after reasonable notice to counter any arguments that the contracts are illusory.

The cases are Harris v. Blockbuster Inc., No. 09-217, (N.D. Texas Apr. 15, 2009) and Morrison v. Amway, 517 F.3d 248 (5th Cir. 2008).

FTC and HHS Issue Proposed Rules on Breach Notification

2009-04-23T11:12:00.004-04:00

By Mehmet Munur

Both the Federal Trade Commission and the Department of Health and Human Services issued proposed regulations last week to satisfy their obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was a part of the American Recovery and Reinvestment Act of 2009. The FTC rules address the obligations of non-HIPAA covered entities such as vendors of personal health records and third party service providers, while the HHS rules address the procedures required to secure unprotected health care information. Affected entities should invest in technologies that prevent and detect breaches and also draft and implement policies to notify the appropriate parties when they do occur.

FTC Proposed Regulations:

While the FTC proposed regulations track the HITECH Act in many respects, they differ in others. The definitions of the terms business associate, HIPAA-covered entity, personal health record, PHR identifiable health information, vendor of personal health records, and unsecured stay substantially the same as under the HITECH act. However, the FTC adds more substance around the concepts of third party service providers, presumption for acquisition, notification of senior officials in vendors in a breach, and discovery of data breaches.

While PHR related entities and third party service provider are non-HIPAA covered entities, they are, nevertheless, covered by the HITECH Act’s breach notification provisions enforced by the FTC. Third party service providers include “entities that provide billing or data storage services to vendors of personal health records or PHR related entities.” Such services certainly include the likes of Google Health and Microsoft HealthVault. Both services have been in the spotlight recently. Google Health recently signed up CVS and HealthVault recently announced a partnership with the Mayo clinic.

Due to the difficulty in determining whether access results in acquisition of data, the proposed FTC regulations enhance the definition of breach by adding language that creates a presumption of unauthorized acquisition where unauthorized access has taken place. However, the vendor or the PHR related entity may rebut this presumption where it “has reliable evidence showing that there has not been, or could not reasonably have been, any unauthorized acquisition of such information.”

The proposed regulations also require entities to notify senior officials in vendors or PHR related entities and to obtain an acknowledgement in the event of a breach. The FTC also prevents entities from ignoring a breach by making inability to reasonably ascertain a breach to be a violation of the regulations. On the other hand, the failure to discover a breach would not constitute a violation of the rules if the organization had strong breach detection measures and still failed to detect it. Therefore, breach detection is almost as important as breach notification under the proposed regulations.

The FTC expects the rules to affect about 900 entities and cost a total of $1 million for 11 breaches per year. The FTC appears to be concerned about some overlap between the FTC and the HHS regulations and is therefore seeking comments on the dual role of certain entities which would bring them under the scrutiny of the both FTC and the HHS. More detail on the proposed rules can be found at the FTC website.

HHS Proposed Regulations:

The regulations proposed by the HHS mainly concern the definition of the term “unsecured” as it modifies “protected health information” under the HITECH Act. This term is crucial as notification is not necessary if the protected health information is secured.

If the Secretary had not issued timely guidance, the term “unsecured protected health information” would have meant “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute (ANSI).” Now that the HHS has proposed these regulations, protected health information will be secured if it is encrypted or destroyed. However, such encryption and destruction will have to abide by the strict requirements of National Institute of Standards and Technology Special Publications on encrypting and destroying data.

The HHS relies on the existing HIPAA Security Rule for encryption and requires “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” where the keys for decryption have not been breached. However, as a new measure, the HHS issued an exhaustive list of NIST publications for encrypting data at rest and for encrypting data in motion. For example, NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, recommends that travelling laptops should be secured using full-disk encryption and pre-boot authentication. HHS also requires that electronic media be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, which requires that magnetic hard drives be purged using “Secure Erase” or degaussing, making them inoperable. The HHS is seeking public comments on the adequacy of some of these methods. More detail about the HHS proposed rules can be found at the HHS website.

The comment period for both sets of regulations will last until June and the agencies should issue interim final rules by August, which may result in changes to the proposed regulations. In addition, Congress may create a federal breach notification law after it receives the joint FTC-HHS report on the entities the HITECH Act regulates. Nevertheless, both HIPAA covered entities and non-HIPAA covered entities should invest in technologies and policies to prevent data breaches that may affect their bottom lines through breach notification costs, regulatory fines, and tarnished brands.

Court Strikes Down Electronic Signature Due to Weak Security Procedures

2009-03-23T22:48:00.003-04:00

By Mehmet Munur

The US District Court in Kansas held on February 19, 2009 that the data security procedures Dillard’s Stores had created to authenticate the electronic signature its employees used to execute an arbitration policy were not sufficient. While the case may have turned on its particular facts, Dillard’s could have avoided such problems by abiding by ISO 17799 procedures in operating its electronic signature systems.

The plaintiff, Yolanda Kerr, successfully kept her claim in court because she disputed the formation of the arbitration agreement. In 2005, Dillard’s started requiring current and new employees to sign an electronic arbitration agreement through its intranet system. In theory, Dillard’s associates executed their agreements using either a social security number or associate identification number and a unique confidential password followed by clicking an “I accept” button. The plaintiff refused to electronically sign the arbitration agreement for nearly six months despite alleged threats from supervisors and the store secretary that she would be fired if she failed to do so.

In April of 2006, the plaintiff missed a day of work. When she showed up for work on April 28, she told the store secretary that she had missed the day of work because she did not have access to the intranet site that contained her schedule. To give her access to the schedule, the secretary accompanied the plaintiff to a computer kiosk, reset her password to the default password, and demonstrated how to access the system. Then the store secretary took control of the computer again and navigated through various screens with the plaintiff beside her. Plaintiff alleged that the store secretary electronically signed the arbitration agreement at this point. After the interaction at the computer, the two left the break room together. Five minutes later, the system automatically sent the employee’s account an email confirming the execution of the arbitration agreement. The email stated that failure to reply to the email would deem agreement to the plaintiff’s electronic signature of the arbitration agreement. Someone opened the email but did not respond. Dillard’s later terminated the plaintiff for allegedly calling a supervisor a profane name. The plaintiff sued for discrimination and Dillard’s attempted to compel arbitration at court.

In analyzing the electronic signature, the court concluded that Dillard’s failed its burden to show through a preponderance of the evidence that the plaintiff knowingly and intentionally executed the agreement for two reasons. First, the court did not want to impute the electronic signature to the plaintiff due to the possibility, however minimal, that the store secretary may have fraudulently executed the agreement while plaintiff was standing beside her. Second, the court held that Dillard’s did not have adequate security procedures in place to restrict unauthorized access to the execution of the arbitration agreement. While the record showed that the employees were at the kiosk on April 28, it did not show that the plaintiff was at the kiosk precisely at 3:26:20. In other words, Dillard’s failed to show that the username, authentication, and the signature coincided with the employee’s log in. It is unclear whether Dillard’s systems had the capacity to log such information or if Dillard’s failed to produce such evidence. Nevertheless, the two factors persuaded the court hold that Dillard’s had not satisfied its obligation to show that there was an enforceable arbitration agreement.

In sum, Dillard’s electronic signatures system failed for two reasons. The systems failed to log associates’ access to the system and the system did not require that the associates change their default passwords immediately. In fact, both policies, are recommended under of ISO 17799 Information technology — Security techniques — Code of practice for Information Security Management. ISO Section 10.10.1 Audit Logging requires that “[a]udit logs recording user activities, exceptions, and information security events should be produced and kept” and include “dates, times, and details of key events, e.g. log-on and log-off.” Arguably, the formation of a legally binding agreement that compelled arbitration is such an event. Furthermore, ISO Section 11.2.3 User Password Management requires that “when users are required to maintain their own passwords they should be provided initially with a secure temporary password . . . , which they are forced to change immediately.” Here, it appears that Dillard’s system continued to operate and allow either the plaintiff or the store secretary to electronically sign the arbitration agreement. Implementing both of these procedures would have greatly helped Dillard’s satisfy its burden. However, it is unlikely that ISO 17799 would not have protected Dillard’s store secretary from fraudulently executing the arbitration agreement by either using the default password or using the plaintiff’s username while she stood by her side.

Unfortunately, the court was not too impressed with the security procedures that Dillard’s already had in place because they were violated. For example, associates were prohibited from sharing passwords and supervisors could only log into associate’s accounts if they reset their password to the default password. Dillard’s also posted notices regarding the confidentiality of passwords. Nonetheless, the two employees, in effect, shared their username and their password and the authentication failed because the system could not keep track of the actual person that signed the agreement. Such user failure combined with a weak logging and password feature resulted in the failure of the electronic signature.

The case is similar to Campbell v. General Dynamics, No. 03-11848-NG (D. Mass. June 3, 2004) where the court held that the employer could not prove an employee’s acceptance of an arbitration policy simply by sending a link to the policy in an email. There General Dynamics proved that the employee had opened the agreement but could not show that he had indeed clicked on the link or agreed in any other way. Furthermore, that email did not even mention the importance of the arbitration policy until its fifth paragraph. The court had noted that General Dynamics could have required the plaintiff to signify his acceptance by a return email he had read the email and accepted the conditions of the arbitration policy. In sum, both the employers in Campbell and Kerr failed to successfully use the technology they had available to them.

This case should set a good example for all employers using electronic signatures for policies. IT, HR, and Legal Departments may need to collaborate to ensure that established security procedures such as the ISO 17799 are used for variety of issues including authentication, accurate system audit logs, and password resets. Moreover, all industries depending on electronic signatures should focus on security procedures to preempt the argument that the electronic signatures they collect do not in fact belong to their system users.

The case is Kerr v. Dillard Store Services, Inc., No. 07-2604-KHV, (D. Kan. Feb. 17, 2009).

Stimulus Bill Requires Data Breach Notification Under HIPAA and Signals Broader Enforcement

2009-02-27T17:57:00.003-05:00

by Mehmet Munur

The American Recovery and Reinvestment Act that President Obama signed into law on February 17, 2009 includes wide reaching data breach notification provisions for entities covered by the Health Insurance Portability and Accountability Act and organizations servicing those entities. It also has privacy provisions related to sales of protected health information, marketing, fines, and enforcement. The Act is likely to increase joint enforcement activities by the Federal Trade Commission and the Department of Health and Human Services Office for Civil Rights. Such enforcement will likely result in settlements similar to the CVS settlement on February 18, 2009 that arose out of improper disposal of protected health information.

I. Data Breach Notification

The Act places notification obligations on covered entities, business associates, and vendors of personal health records for breaches of protected health information as well as required updates to contracts between covered entities and business associates.

A. Covered Entities

Generally speaking and without using the defined terms of the Act, an entity’s duty to notify arises when it has a breach involving unencrypted personal health information that it processes. The entity must then notify, the individual, the media, and the Secretary of the DHHS within 60 days of finding out about the breach, so long as the law enforcement exception does not apply. In creating these obligations, the Act defines the terms breach, electronic health record, personal health record, and vendors, but retains the earlier definitions of covered entities and business associates from HIPAA. The Act and the obligation to notify will likely become effective for breaches discovered 210 days from its enactment.

A breach is the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information. The term has several narrow exceptions related to inadvertent disclosures to authorized users. Most importantly, a breach is deemed to have been discovered on the first date on which it is known or reasonably should have been known to have occurred.

Covered entities still refer to health plans, health care clearinghouses, or health care providers who transmit any health information in electronic form. Processing, while not a term used in the language of the Act, includes access, maintenance, retention, modification, storage, destruction, using, or disclosing.

Unencrypted personal health information refers to the defined term unsecured protected healthcare information. The portion of term referring to protected healthcare information retains its definition under HIPAA and means individually identifiable health information that is either transmitted by electronic media or maintained in electronic media, or both. Unsecured, on the other hand has two meanings. The Secretary should issue guidance specifying the technologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals within 60 days. If he does not, then that technology will be a technology developed or endorsed by the American National Standards Institute. Though the Act does not specify that technology, it will probably be the Advanced Encryption Standard used by the Federal government for sensitive documents.

Notification takes 3 forms: individual, media, and the DHHS. Notification must be made without unreasonable delay and within 60 days after its discovery. However, the law enforcement exception can delay such notification if the entity receives and documents a written or oral statement from the DHHS. The burden to prove that the notification was performed according to the Act lies with the covered entity.

Entities must notify each individual whose unsecured protected health information has been, or is reasonably believed by the entity to have been accessed, acquired, or disclosed during the breach. This individual notice may be by first class mail at the last known address of the individual or by email if that is the preference of the individual. If the entity has more than 10 individuals with insufficient or out of date contact information, then it is required to place a conspicuous post on its web page or notice in major print or broadcast media for a period of time that the Secretary specifies. The entity may also notify by phone due to possible imminent misuse of the information.

The entity must notify prominent media outlets serving a state or jurisdiction if the information of more than 500 residents are reasonably believed to have been subject to the breach. The entity must also notify the Secretary. If the breach involves more than 500 individuals, the entity must notify immediately, whereas breaches involving less than 500 individuals may be submitted in an annual log. The Secretary is then required to post breaches involving more than 500 individuals on its website.

The Act delineates the contents of the notifications. They must include a brief description of the events, the date of the events, a description of the types of information involved, the steps the individuals should take to protect themselves from any harm that may result, and procedures for contacting the entity through a toll-free phone number, email address, or website.

The Secretary must also pass interim final regulations on breach notification within 180 days. These regulations will apply to breaches discovered after 30 days after their enactment. These regulations will certainly require covered entities to craft breach response procedures and implement them promptly.

B. Business Associates

Business associates that service covered entities under HIPAA have an obligation to notify the covered entities in the event of a breach. Business associates are now also subject to the same security procedures that covered entities are under HIPAA and these requirements must also be incorporated in their agreements.

The definition of a business associate has not changed with the Act. Business associates still refer to persons that perform or assist any activity involving the use or disclosure of individually identifiable health information or persons performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity. The Act states that the business associates need to notify the covered entities who must then notify the individuals. However, the requirements related to timeliness and the discovery of the breach are the same.

Covered entities will need to amend their contracts with business associates to reflect the provisions of the Act. These amendments must include administrative safeguards, physical safeguards, technical safeguards, and policies and procedures and documentation requirements promulgated by the DHHS. Business associates that receive protected health information may be subject to fines for wrongful disclosures of protected health information. Prior to the Act, HIPAA only made business associates liable to the covered entity for contract breaches.

The Act also contains a whistle blowing provision for business entities and the covered entities they serve. Prior HIPAA regulations stated that a covered entity was non-compliant if it knew of a business associate’s activity that constituted a material breach of the associate’s contractual obligations and did not take reasonable steps to cure them. If the business associate did not cure the problems, the covered entity was required to terminate the contract or, if that was not feasible, inform the secretary. Now, the Act requires that business entities have the same whistle blowing responsibility towards the covered entities they service. Failure to do so is a violation of the Act.

C. Vendors and Non-HIPAA Covered Entities

The breach notification standards also apply to a new kind of entity called vendors under the Act. These are entities other than covered entities that offer or maintain personal health records. A personal health record is an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. Google Health and Microsoft HealthVault are examples of such entities.

A vendor’s obligations under the Act are similar to the covered entities’ and business associates’ responsibilities. Vendors must notify individuals and the Federal Trade Commission, instead of the DHHS, of data breaches. The FTC then notifies the DHHS. The methods and timeliness of these disclosures and the definitions of breach and unsecured protected health information are almost identical to the methods and timeliness that covered entities. Violation of this duty to notify is considered an unfair and deceptive trade practice under the FTC Act. Third party services providers that service vendors have an obligation to notify their vendors of any breaches they experience, as well.

The FTC is required to pass regulations related to vendors covered under the Act within 180 days. If, however, Congress passes breach notification laws that directly apply to vendors, then the breach notification provisions of the Act will be overridden. While this provision may be good housekeeping to prevent dual breach notification laws for vendors, it may also be a sign of further breach notification legislation to come from Congress.

II. Marketing, Sale of Protected Healthcare Information, and the Minimum Necessary Standard

The Act has several provisions that restrict marketing activities and create greater privacy protections for individuals. Covered entities will need to revise their privacy practices to accommodate their new responsibilities.

The Act reduces the amount of marketing activities allowed under HIPAA. Communication by covered entities or business associates that is about a product or service and that encourages recipients to purchase or use the product or service are not considered a health care operation under HIPAA unless they are made 1) to describe a health-related product or service, 2) for treatment of the individual, or 3) for case management or care coordination for the individual. If, however, the covered entity or business associate receives direct or indirect payment in exchange for the communication, then the communication is considered marketing. On the other hand, such a communications will still be considered to be a healthcare operation if it describes a drug that the recipient is using and the payment received is reasonable. The Secretary is charged with defining the amount of reasonable compensation through regulations. However, such communication must still be made with a valid authorization. The Act also prohibits the sale of protected health information without a valid authorization. The regulations for these authorization do not change under the Act.

The Act now makes it mandatory to comply with an individual’s request that the entity restrict the use and disclosure of protected health information about the individual to carrying out treatment, payment, or healthcare operations. Prior HIPAA regulations did not require covered entities to agree to such restrictions.

Individuals also have the right to access protected health information in electronic format if the entity maintains that information. The fee for such access cannot exceed labor costs in responding to the request.

Under HIPAA, an entity was required to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request of that information. The Act further reduces the amount of data in circulation by requiring the Secretary to promulgate regulations based on the limited data set concept that excludes identifiers such as names, addresses, social security numbers, email addresses and similar information to the extent practicable. Such changes will certainly require that covered entities revisit their privacy practices.

III. Fines and Enforcement

The Act also promotes enhanced enforcement through required fines and investigations.

Violations due to willful neglect now require a fine by the Secretary. Furthermore, the Secretary now has an obligation to investigate any complaint of a violation of the Act if a preliminary investigation of the facts of the complaint indicate a possible violation due to willful neglect. Most importantly, the Act requires that any civil monetary fine or settlement fund collected relating to privacy and security be transferred to the Office for Civil Rights of the DHHS. This provision will likely create a positive feedback loop where enforcement will result in fines and settlements that will give the OCR more funds to carry out more investigations. Additionally, individuals harmed by such breaches may also receive a percentage of the funds received by the OCR, but this amount will be determined three years from the date of the enactment. The Act also creates four tiers of penalties for different levels of culpability ranging from $100 to $50,000 for each violation that are not to exceed $25,000 to $1,500,000 during a calendar year. These fines are effective immediately.

The law can also be enforced by the State Attorneys General. If there is reason to believe that the interests of one or more of the residents of the State is or could be threatened, then the AGs may bring action in federal district court. The courts can, in their discretion, award attorneys fees to the AGs that bring action in federal district courts. However, such state action is limited to circumstances where the Secretary is not already bringing an action. Considering the availability of attorneys fees and the public record of breaches, it is likely that this provision will increase enforcement in cases where the FTC or the DHHS decline enforcement.

IV. Joint Enforcement and CVS’s $2.25 million DHHS Fine

The day after the Act was signed into law, the FTC and the DHHS announced separate settlements with the nationwide pharmacy chain CVS arising out of improper disposal of sensitive personal information. The settlement is significant because it is the first joint investigation by the FTC and the DHHS, involves a health provider, and employee data. Moreover, due to the language of the Act and the cooperation required between the two organizations, it is likely to be a sign of more joint investigations to come.

According to the FTC complaint, during 2006 and 2007 television stations found evidence of CVS’s disposal of names, addresses, dates of birth, bank account numbers, physicians’ names, insurance account numbers and other personal information in unsecured dumpsters in at least 15 cities. Seizing on CVS’s statements that “nothing is more central to our operations than maintaining the privacy of your health information” and that CVS took “this responsibility very seriously,” the FTC argued that CVS’s representations in its notice of privacy practices were false and misleading, likely to cause substantial injury to consumers; therefore, an unfair act or practice. As a result, CVS settled with the FTC and the DHHS in separate settlement agreements.

The FTC settlement is very similar to the other settlements that FTC reached with ChoicePoint, DSW, and TJ Maxx. CVS must create a comprehensive information security program, designate an accountable employee for that program, identify risks, and receive third party assessments of its security procedures for the next 20 years. It is the 24th FTC case that challenges a company’s failure to implement reasonable information security practices.

The DHHS settlement is similar but probably more significant. Under the resolution agreement with the OCR, CVS agreed to pay $2.25 million and implement a robust corrective action plan that includes safeguards for disposal, employee training, and employee sanctions for noncompliance. CVS must comply with this action plan for the next three years, followed by the FTC settlement’s two decade long program. The DHHS Office of Civil Rights press release on the resolution agreement highlights the OCR’s intention to make an example of CVS and its “commitment to strong enforcement of HIPAA Privacy Rule . . . [intended to] spur other health organizations to examine and improve their privacy protections.” The DHHS settlement is the second one of its kind. The previous resolution agreement was with Providence Health Information for $100,000. While the OCR conducts investigations and allows entities to correct HIPAA problems, it had not issued fines of this magnitude.

Vendor breach notifications under the Act will likely spur closer cooperation between the two agencies. OCR’s new obligation to assess fines, conduct investigations in certain cases, and its ability to keep the fines it issues will result in OCR having more resources and incentives to enforce the law. This positive feedback loop will likely result in the FTC and the OCR enforcing the requirements of HIPAA and publicizing them in the future. Therefore, the CVS settlement should provide an incentive for entities of all sizes to satisfy not only their current HIPAA obligations but also their future breach notification requirements.

V. Conclusion

The Recovery and Reinvestment Act creates broad data breach notification requirements for covered entities, business associates, and vendors on a federal level under HIPAA. These entities will need to abide by the regulations that the Secretary of the DHHS will promulgate in the next six months. Further, they will need to abide by the breach notification rules or face fines and settlements by both the FTC and the OCR. Therefore, affected organizations should act quickly to update their breach response plans, revise their privacy policies, stop sales of protected health information without appropriate authorization, and update business associate agreements.

Heartland Payment Systems Loses Credit Card Data to Malware

2009-02-02T17:44:00.009-05:00

By Mehmet Munur

Heartland Payment Systems, the 6th largest card acquirer in the United States with a processing volume of $51.9 billion, reported that its “investigation uncovered malicious software that compromised data that crossed Heartland’s network.” This data breach is disconcerting because consumers may be unable to pin down the source of the fraudulent transactions and also because Heartland was a Payment Card Industry Data Security Standard compliant acquirer. Heartland will likely be subject to liability from consumers, investors, and the FTC.

Heartland’s data breach may have revealed close to 100 million card numbers. It appears that a malicious software within Heartland’s network collected the data on the magnetic stripes of credit and debit cards. Heartland believes that the security codes or sensitive data, such as driver license numbers or social security numbers, are not a part of the data breach; therefore, the risk of identity theft is minimal. However, the risk of financial loss still exists due to the possibility of placing the magnetic information involved in the data breach on another card and using that card fraudulently. Considering that Heartland services all types of merchants, the largest risk to consumers is that such fraudulent transactions could come from any source and consumers do not have a way of identifying whether any of their cards was involved in the breach.

Another disturbing point for both consumers and corporations is that Heartland was a PCI DSS compliant acquirer. According to its 2008 10-K, Heartland “maintain[ed] current updates of network and operating system security releases and virus definitions, and have engaged a third party to regularly test [its] systems for vulnerability to unauthorized access.” Furthermore, Heartland encrypted the data stored in its databases but not when the data was in transit across its network. Heartland’s assumption was that its network was secure. As a result of the breach, Heartland’s listing in Visa’s Cardholder Information Security Program is now under review. To remedy the situation, Heartland announced that it would begin encrypting cardholder data throughout its network.

However, encryption is not the silver bullet that will save Heartland—or another acquirer—in the future. While PCI-DSS only requires that cardholder data be encrypted while crossing public networks and when it is stored, it does not require that data be encrypted while crossing an acquirer’s internal network. However, this data must be decrypted at some point in order for it to be processed. Furthermore, due to the fast evolution of malware, a vulnerability is likely to develop within any system at some point. Instead, companies that thrive on data processing must approach data security with comprehensive processes—such as ISO 270002. This is not to say that PCI-DSS is inadequate. Considering that the 6th requirement of PCI-DSS is the development and maintenance of secure systems and applications, it appears that it was Heartland’s implementation of PCI-DSS that failed—not PCI-DSS itself.

Heartland may be subject to legal liability from consumers, the Federal Trade Commission, and investors. A week after the breach, Heartland is already facing a class action lawsuit. TJ Maxx recently settled a similar class action lawsuit arising out of its data breach using its reserve of $178 million. Such a class action lawsuit may prove costly for Heartland as well.

TJ Maxx did not have to pay a fine to the Federal Trade Commission. Heartland may be lucky enough to avoid fines from the FTC, as well. Yet, similar to the TJ Maxx’s FTC settlement, Heartland may be subject to third-party audits as a part of a compliance program for the next 20 years. Heartland may also be able to avoid a lawsuit from its investors. While Heartland’s stock prices have declined from about $18 to $8 [1] since the breach became public, it appears to have made the appropriate disclosures as a part of its risk factors in its 10-K:

Unauthorized disclosure of merchant and cardholder data, whether through breach of our computer systems or otherwise, could expose us to liability and protracted and costly litigation.

Our computer systems could be penetrated by hackers and our encryption of data may not prevent unauthorized use. In this event, we may be subject to liability, including claims for unauthorized purchases with misappropriated bank card information, impersonation or other similar fraud claims. We could also be subject to liability for claims relating to misuse of personal information, such as unauthorized marketing purposes. These claims also could result in protracted and costly litigation. In addition, we could be subject to penalties or sanctions from the Visa and MasterCard networks.

In sum, corporations like Heartland that make their money through processing personal data should invest in data protection using comprehensive processes, especially if the loss of that data may result in financial liability. Such comprehensive processes are likely to better protect corporations and their customers against data breaches.

[1] The connection between data breaches and stock prices declines have been subject to several studies since the ChoicePoint data breach.

Article 29 Working Party Releases 11th Annual Report

2009-01-23T11:57:00.003-05:00

By Mehmet Munur

On January 21, 2009, the Article 29 Working Party released its 11th Annual Report on Data Protection and the report shows a rise in enforcement activities by the European Union Data Protection Authorities (DPAs) resulting in fines totaling millions of Euros, some criminal prosecutions, and concerns over liberal use of electronic discovery in US litigation involving EU subsidiaries.

While the report covers the year 2007, it is a handy (yet belated) insight into all EU Data Protection Authorities’ enforcement activities. Most importantly, it serves as a useful tool to gauge where data protection enforcement in the EU is heading. In 2007, the DPAs focused on a variety of areas of data processing such as electronic healthcare, law enforcement, employment, financial sector, biometric data, and video surveillance. The report also highlights the local implementation efforts of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the E-Privacy Directive) and the varying degrees of retention periods set by local legislation.

The Spanish, Dutch, French, and Italian DPAs were just as active in 2007 as in the previous years.

The Spanish DPA noted that in “2007, the number of claims filed by citizens with the AEPD rose by around 7% to a total of 1,624.” The Spanish DPA issued 399 penalties, “a 32.5% increase over the previous year” resulting in fines of 19.6 million Euros—an average of nearly €50,000. Furthermore, “[t]he greater part of the inspections carried out ha[d] to do with telecommunications and financial institutions, followed by video-surveillance, which is now in third place following an increase by over 400%.”

The Dutch DPA stated that in 2007 it had “changed its strategic direction and shifted its priority to carrying out investigations and enforcement actions – the core task of any independent supervisory authority – to ensure a more effective promotion of the awareness of standards.” The Dutch DPA also suggested that it was going after the bigger fish stating that it “g[a]ve priority, as regards requests for help and assistance, to serious violations of a structural nature and to violations which entail major consequences for a substantial number of citizens or for groups of citizens.”

The French DPA reiterated its penalty and audit powers stating that “the CNIL has sanctioning powers enabling it to levy fines to the amount of €150,000 (€300,000 in the case of repetition), within the limit of 5% of turnover.” In 2007, the French DPA issued nine fines ranging from €5,000 to €50,000, five warnings, and 101 formal notifications.

The French DPA also voiced its concerns over US data retention and electronic discovery rules stating that it had “observed a recent increase in the requirement for the communication of personal data held, inter alia, by the French subsidiaries of American companies that are the subject of discovery proceedings before American civil courts or pre-trial discovery.” The French DPA was worried not just about private litigation but discovery by the FTC and SEC. Therefore, the French DPA “attempted to draw the government’s attention to this issue” and set up inter-ministerial discussions.

The Italian DPA also enhanced its inspection activities in 2007. Interestingly, the Italian DPA benefited from the use of the specialized Financial Police when checking compliance with notification requirements, information notices, and security measures. “Overall, 452 inspection proceedings were carried out. They mostly concerned private entities and were aimed at checking compliance with the main requirements laid down in the data protection legislation.” The Italian DPA focused on “personal (medical) data by pharmaceutical companies and healthcare bodies; the online processing of personal data; processing aimed at the provision of goods and services via distance selling mechanisms (including call centres); the processing operations performed by Revenue Offices; the retention of users’/subscribers’ data by telecom operators; and e-banking services.” Out of these 452 inspections, the DPA issued 228 administrative sanctions and referred 15 cases to criminal prosecution. The Italian DPA expects revenues of €750,000 from these sanctions.

In sum, enforcement by EU DPAs and the financial liability for violations of local data protection legislation are both on the rise.

US-Swiss Safe Harbor Framework Signed

2009-01-22T11:08:00.003-05:00

by Mehmet Munur

On December 9, 2008, the Swiss Federal Data Protection and Information Commissioner and the Department of Commerce signed “an exchange of letters” to create the “US-Swiss Safe Harbor Framework.” As a result, multinational corporations certified under the Department of Commerce Safe Harbor program are now able to transfer data from Switzerland to the US more conveniently.

The Swiss Federal Data Protection Act operates similar to the 95/46/EC Data Protection Directive. Article 6 of the Swiss Act prohibits data exports in the absence of adequate guarantees, similar to Article 25 of the Directive. Since the US, without the Safe Harbor, does not offer adequate protections for personal data, companies were forced to use exceptions under Article 6 for data transfers, such as standard contractual clauses approved by the Data Protection Commissioner of Switzerland. Companies can now self-certify for transfers of personal data from Switzerland at the Department of Commerce website in addition to other European Economic Area countries.

US Supreme Court to Review Whether States Can Enforce Antidiscrimination Laws against Federally Chartered Banks

2009-01-19T08:32:00.005-05:00

By Dino Tsibouris

The US Supreme Court will consider whether the New York Attorney General can enforce antidiscrimination laws against federally chartered banks. In The Clearing House Assoc., LLC v. Cuomo, 510 F.3d 105 (2d Cir. 2007), the New York-based Second Circuit Court of Appeals upheld the OCC's position that a state may not request or subpoena information relating to potential lending discrimination from such banks. Opinion at:

http://www.occ.treas.gov/law/OCCvCuomo.pdf

Originally, Eliot Spitzer started a probe to determine if banks were charging higher rates to minority applicants. As Attorney General Cuomo continued the investigation, the court ruled that national bank regulation is a matter of federal law, and that Congress left no role for the states.

The court could hear arguments and decide the case by the end of its term in late June. The case is Cuomo v. Clearing House Association, 08-453 at:

http://www.supremecourtus.gov/docket/08-453.htm

All federally chartered lenders and their service providers should watch this closely.

ABA: Boutique Law Firms Make Inroads During the Downturn

2009-01-16T10:28:00.006-05:00

By Dino Tsibouris

The ABA Journal and New York Law Journal have interesting stories about how the downturn in work at large law firms has opened doors for small firms that offer specialized expertise at competitive rates. The article focuses on the New York market, but the factors apply in any legal market:

Despite the struggling economy and Wall Street layoffs, some small law firms in New York are seeing their business boom.

Among the reasons why are the significantly lower hourly rates charged by these law boutiques and a growing number of small businesses being launched by laid-off workers that need legal services, reports the New York Law Journal. Its article is reprinted by New York Lawyer (reg. req.).

Federal Rule of Evidence 502: Protecting Against the Inadvertent Waiver of the Attorney-Client Privilege

2008-11-11T13:51:00.002-05:00

By Kelly Prior, Esq.

President Bush recently signed a bill creating new Federal Rule of Evidence 502, which addresses the disclosure of communications and information protected by either the attorney-client privilege or the work-product doctrine. The purpose of FRE 502 is two-fold: 1) to resolve the conflicts which have arisen between courts in the area of inadvertent disclosure and subject matter waiver; and 2) to bring some measure of control over spiraling discovery costs that are due in part to the concern that any disclosure, however small or unintentional, will result in the subject matter waiver of all protected communications and information. The Rule provides several protections, as follows:

Subsection (a) applies to disclosures which are made in a federal proceeding or to a federal office or agency. When a disclosure is made in that context and the privilege or protection is waived, the waiver will only apply to undisclosed communications or information when the waiver is intentional, the same subject matter is involved and “fairness” dictates that the disclosed and undisclosed communications or information be considered together. Thus, subject matter waiver is reserved for those cases where a party intentionally produces protected information in a selective, misleading and unfair manner.

Subsection (b) applies to inadvertent disclosures which are made in a federal proceeding or to a federal office or agency. In such cases, the inadvertent disclosure does not constitute a waiver if the holder of the privilege or protection took “reasonable steps” to both prevent the disclosure and to rectify the error.

Subsection (c) addresses the difficulties which often arise when the disclosure of protected communication or information is made in a state proceeding, the communication or information then becomes part of a federal proceeding on the grounds that the disclosure constituted a waiver, and there is a conflict between the state and federal laws as to whether a waiver occurred. Rule 502(c) instructs the federal court to apply the most protective law as between the two.

Subsection (d) provides that the terms of confidentiality orders (pertaining to the disclosure of privileged or protected communication or information) entered into in federal proceedings are enforceable against non-parties in any state or federal proceeding.

Subsection (e) makes it clear that while the parties in a federal proceeding may enter into a binding agreement to limit the effect of waiver by disclosure between themselves, such an agreement is not binding on non-parties. The agreement must be made part of a court order in order for it to bind non-parties.

It will be interesting to see over the next few years how effective the new rule is in preserving attorney-client privilege and work product protections and in reducing discovery costs.

Google Updates IP Address Log Retention Policy

2008-11-10T12:01:00.004-05:00

By Dino Tsibouris & Mehmet Munur

On September 8, 2008, Google announced that it will reduce the amount of time it retains distinct IP addresses from 18 months to 9 months due to pressure from European regulators. This is not the first time, and likely not the last time, Google will have to amend its IP log retention period in order to comply with the European regulators’ strict policies.

In June of 2007, Google had to reduce the amount of time it retained distinct IP addresses from 24 months to 18 months, due to pressure from the EU Article 29 Data Protection Working Party. After 18 months of obtaining the IP addresses, Google anonymized its IP logs by replacing the last byte of the IP address with hashes (for example 216.54.106.###). Then, Google “firmly reject[ed] any suggestions that [it] could meet [its] legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months.”

This recent change in IP log retention policy is certainly in part due to the Working Party’s Opinion on Data Protection Issues Related to Search Engines released in March 2008. The Working Party suggested that the “retention of personal data and the corresponding retention period must always be justified (with concrete and relevant arguments) and reduced to a minimum, to improve transparency to ensure fair processing, and to guarantee proportionality with the purpose that justifies such retention.” More importantly, if “search engine providers retain personal data longer than 6 months, they will have to demonstrate comprehensively that it is strictly necessary for the service.” The Working party then concluded that “[i]n view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months.” It appears that Google’s rejection was not firm enough.

Before issuing this opinion, the Working Party sent questionnaires to many search engines. Undoubtedly, Google was one of the search engines that received a questionnaire. Google must have predicted that the Working Party would issue an opinion on IP addresses and cookie use as a result of this questionnaire. Google probably provided all the justifications that it could, but the Working Party was not satisfied. Considering that the Working Party concluded that logs should be retained for 6 months—not 9—Google either has a better justification, or another revision to its privacy policy awaits Google in the near future.

Google may also have problems with the methods it uses to anonymize the logs. The Working Party opinion also commented on Google’s anonymization methods and suggested that they may not be satisfactory under all circumstances. “Currently, some search engine providers truncate IPv4 addresses by removing the final [byte], thus in effect retaining information about the user's ISP or subnet, but not directly identifying the individual. The activity could then originate from any of 254 IP addresses. This may not always be enough to guarantee anonymisation.”

Furthermore, Google has not finalized the methods it is going to use to anonymize IP addresses. In its recent announcement, Google stated that it had not “sorted out all of the implementation details, and [it] may not be able to use precisely the same methods for anonymizing as [it] d[id] after 18 months . . . .” In other words, the anonymization used after 18 months and anonymization used after 9 months are different methods of anonymization. Considering that the Working Party is not satisfied with the first method under all circumstances, arguably, the Working Party may not be satisfied with the new method, either.

One reason for this continuous disagreement over Google’s privacy policy may be about how Google and the European regulators think about privacy. IP address logs are an invaluable source of competitive information for Google; therefore, it would like to retain them unless they are shown to be personal data. In other words, presume the data to be non-personal unless proven otherwise. To support this view, Peter Fleischer, Google’s Global Privacy Counsel, argued in NY Times Bits and in his own blog that he did not think that IP addresses were private data under all circumstances. Both Mr. Fleischer and a Google engineer stressed that IP addresses did not always return to a unique individual but could shared among many users.

The Working Party disagreed. The Working Party opinion stated that “increasing number of ISPs distribute fixed IP addresses to individual users.” Then, the Working Party turned the presumption on its head by stating that “unless the [Search Engine] is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.” In sum, Google would like a sliding scale approach to IP addresses privacy while the Working Party sees all IP addresses as personal data. This stark difference in approach to privacy is likely to result in more revisions for Google’s IP address logs.

Certainly, Google appears to be taking a serious approach to privacy by creating Google Privacy Channel on YouTube, and drafting a reader friendly Terms of Use. Despite all its efforts, Google’s actions are likely to stay on the spotlight for some time to come. One cannot expect Google to give up so easily on IP address logs that allow Google to provide better services and get the upper hand on its competitors.

Best Lawyers in America - 2009

2008-10-06T12:12:00.002-04:00

Dino Tsibouris of Tsibouris & Associates, LLC was recently selected to be included in the 2009 edition of The Best Lawyers in America in the specialty of Information Technology Law. The Best Lawyers in America is a publication of the most respected attorneys in their fields, which has been known to be a very valuable referral list of attorneys in practice. Inclusion in Best Lawyers is determined by more than 1.8 million evaluations and votes cast by the top attorneys in the country. To read more about the selection process, click here.

Recent 9th Circuit Ruling Highlights the Importance of Employee Policies Regarding Electronic Communications

2008-08-09T10:58:00.001-04:00

By Dino Tsibouris & Mehmet Munur

The 9th Circuit Court recently ruled that the unauthorized search of employee text messages on an employer provided text messaging pager may have violated the employee’s privacy rights despite a written policy stating that the employees should have no expectation of privacy. The case demonstrates the need to revise some of the nation’s privacy laws as well as the attention employers need the pay to the drafting and enforcement of their privacy policies.

The case arose from Ontario Police Department’s review of text messages by a member of its SWAT team, Jeff Quon. The Police Department provided its employees with two-way text messaging pagers in order to make it more efficient for dispatchers. In October 2001, the city contracted Arch Wireless to provide the service and each pager was allotted 25,000 characters per month. When Quon and others went over the allotted character limit, they paid for their overage charges. An understanding formed between the employees and their supervisors that the employees would have to pay the charges unless they wanted their text messages audited to determine whether the use was personal or business related.

Then in August 2002, Lieutenant Duke got tired of collecting bills and decided that the text messages should be audited to determine whether they were being used for business or personal use. To this end, city officials requested the transcripts from Arch Wireless who sent the transcripts to the City after determining from its records that the pagers actually belonged to the City. A review of the transcripts by the city officials showed that some of the text messages were personal. This resulted in an internal investigation to determine whether the pagers were being used during work hours for personal use.

As a result of this investigation, Sergeant Quon and four other officers filed a complaint against the Chief of Police, the City of Ontario, and Arch Wireless under the Stored Communication Act (“SCA”) and the Fourth Amendment, among others. The district court dismissed the claims against Arch Wireless under the SCA but decided that the Fourth Amendment claims should go to a jury. The district court ruled against the plaintiffs on the SCA claim concluding that Arch Wireless was a Remote Computing Service (“RCS”) under the SCA instead of an Electronic Communication Service (“ECS”). Arch Wireless, as an RCS, could release transcripts of the text messages without the consent of the subscriber. Under the facts of this case, the City was the subscriber and had consented to the release of the transcripts. Therefore, Arch Wireless could not be liable. The 9th Circuit disagreed. Arch Wireless was an ECS and it required the consent of the addressee or the intended recipient in order to disclose the transcripts, neither of which it had obtained. The 9th Circuit reversed the district court on the SCA claim.

Both courts had to interpret the archaic and convoluted language of the SCA that Congress passed as a part of the Electronic Communications Privacy Act of 1986 (“ECPA”). Neither text messages nor emails were in existence at the time. Both courts used legislative history and congressional reports yet came to different results. This is yet another case in a long line of cases that suggests that the legislation on electronic communication needs to be rewritten because unforeseeable results make compliance difficult for corporations.

The case also demonstrates the importance of the reasonable expectation of privacy in electronic communications. Both the 9th Circuit and the district court declined to award summary judgment to the City on the issue of the Fourth Amendment violations. Both courts agreed that a jury might find that Quon had a reasonable expectation of privacy in the text messages he sent from the pager. Both courts noted several factors that would make Quon’s expectation of privacy unreasonable. First, the Ontario Police Department’s Computer Usage Policy, which Quon signed, required equipment to be used for business purposes. Second, Quon attended a meeting where he was specifically told that the policies applied to the pagers. Third, the pager was owned by the Police Department. If that were all, the 9th Circuit noted, the outcome would be very similar to other cases where the employee was specifically cautioned against any privacy. However, several other factors made his expectation of privacy reasonable. First, the officers in charge of collecting the bills had made it clear to the plaintiffs that the text messages would not be audited so long as they agreed to pay for the overages. Second, the City in fact did not audit the messages when the employees paid their overages. Further, the 9th Circuit ruled that the expectation could be reasonable despite the fact that the oral declaration was made by someone not in charge of policymaking. Both courts declined to award the City summary judgment on the reasonableness of Quon’s privacy expectation.

In essence, any employer who has a written policy against any expectation of privacy in computer, email, or telephone use may contradict their behavior and create a reasonable expectation of privacy in employee communications simply by not uniformly enforcing their policies or by acting counter to their policies. If the employees have not consented, and none of the other exceptions in the ECPA apply, then an employer may be liable to the employee for invasion of his privacy.

In comparison, courts usually allow a greater expectation of privacy for personal email accounts on websites—such as Yahoo, Google, or Hotmail accounts—accessed through employer-owned equipment compared to business email accounts owned and operated by the employer. However, even such personal email accounts may be subject to monitoring if the employer properly informs the employee. In NERA v. Evans, the employer, NERA, searched Evans’ company-owned laptop’s hard-drive after he left employment and found images of Evans’ personal emails. Evans had deleted his personal files and defragmented his hard-drive mistakenly believing that it would remove any traces of his personal files. While the court noted that such emails could not be retrieved by an average computer user simply by browsing the computer’s hard-drive, it could be retrieved by a specialist. The court ruled against the employer despite NERA’s written policies stating that a log of network activity would be kept and that network administrators could read emails. The court required the employer to be more specific. The policy did not state that contents of personal email accounts would be monitored or that NERA could retrieve them from the hard-drive. Therefore, the court concluded that Evans’ expectation of privacy was reasonable under the circumstances.

Another case currently in litigation merges the issues in Evans and Quon and illustrates the importance of properly drafting and enforcing privacy policies. In Sidell v. Structured Settlement Investments, the plaintiff alleged that his employer continued reading his personal Yahoo email after he was fired because Sidell had left the email account logged-on. Sidell made allegations under the ECPA similar to the ones between Quon and Arch Wireless. Sidell further alleged that the employer used the email account to monitor Sidell’s communications with his attorney. The employer defends that they suspected Sidell of emailing trade secrets to his personal email account. Depending on how explicit Structured Settlement Investments’ policies were and whether Sidell was in fact emailing himself trade secrets, the employer could be liable under the ECPA. Regardless of how the case turns out it is likely to demonstrate at least one very important point: employers must caution their managers from snooping on their employees’ emails without consulting in-house counsel.

These electronic communication cases will certainly influence how employers and corporations involved in electronic communications act in the future. Surely, Arch Wireless will work to improve its handling of text message transcript requests where the subscriber is different than the addressee or the intended recipient. Moreover, employers may have to both revise their policies so that they describe their intended actions more accurately and enforce these policies uniformly to assure that they hold up in court.

The cases are Quon v. Arch Wireless Operating Co., 445 F. Supp. 2d 1116 (2006); Quon v. Arch Wireless Operating Co., 529 F.3d 892 (2008); and National Economic Research Associates, Inc. v. Evans, No. 04-2618-BLS2 (Sup. Ct. Mass. Aug. 3, (2006).

Google Health Launches

2008-05-26T13:21:00.002-04:00

By Dino Tsibouris & Mehmet Munur

Having concluded its testing at the Cleveland Clinic, Google Health launched amid privacy concerns last week. Commentators are concerned that Google is not currently regulated under the Department of Health and Human Services (“DHHS”) and Google’s claim that it is regulated by the Federal Trade Commission does not appear to appease them. Nevertheless, Google Health appears to have a solid approach to both storing health care data online and finding information about health issues with Google Health.

Google Health ships with terms of service, a privacy policy, a health sharing authorization, and a legal notice. The terms of service caution the user that Google Health does not offer medical advice, that the user is responsible for the security of the password, and that Google will treat the information provided by the user in accordance with its privacy policy— along with the usual limitation of liability and exclusion of warranties languages. The privacy policy states that Google will not sell, rent, or share the information without the explicit consent of the user, explains what information Google retains, and clarifies how a user may share health data with a licensed third party health care provider. The health sharing authorization allows Google to pass along sensitive health care information to third parties that the user authorizes. Finally, the legal notice provides limitation of liability for Google’s partners that provide drug related information.

Commentators have at least two privacy concerns with Google Health. First, anyone with a Google username may instantly and easily sign onto Google Health. While Google requires that passwords be at least 8 characters long, it does not require that the passwords contain numbers, upper and lower case characters, and special characters—which would help create strong passwords. Considering that only a minority of users will create strong passwords when not required to do so, access to a user’s health information on Google health is only as good as the password the user creates—assuming that Google’s systems are secure. However, both Microsoft and Google suffer from this same problem.

Second, Google (rightly) claims that it is not bound by Health Insurance Portability and Accountability Act (“HIPAA”). The regulations under 45 CFR part 160.102 state that the Act applies to a) health plans, b) health care providers who transmit any health information in electronic form in connection with a covered transaction, or c) health care clearinghouses. A health plan is an individual or group that provides or pays the cost of medical care. Medical care includes diagnoses, cures, treatments, and transportation related to medical care, but not storage or transfer of information. A health care provider is a provider of medical or health services and any other person or organization that is paid for health care in the normal course of business. While medical services are defined ad nauseum in the regulations, none of those services relate to storage of healthcare information as a service.

A health care clearinghouse is an entity that processes or facilitates the processing of health care information from a nonstandard format (or data) to a standard format (or data), or vice versa. In promulgating the final rules on HIPAA, the DHHS stated that the definition was not meant to apply to telecommunication companies such as internet service providers or telephone companies, so long as they did not process the data in the fashion required. Therefore, processing of information coming from one entity and going to another entity appears to be at the heart of the regulations. Google does not process the data. It only makes it available to both the patient and the health care professional—presumably in the format it is provided. On the other hand, any manipulation of this data from standard to nonstandard format would trigger the regulations under HIPAA. In sum, Google Health currently resides in that gray area between explicitly exempt entities and nonexempt entities.

Nevertheless, Google’s interpretation of the current regulations is in line with DHHS’ Office for Civil Rights (“OCR”), which is in charge of the civil enforcement of the Privacy Rule under HIPAA. Susan McAndrew, senior advisor for the OCR, has stated in unofficial discussions that Google Health and Microsoft HealthVault are exempt from HIPAA rules, but that the Confidentiality, Privacy, and Security Workgroup of the American Health Information Community is in the process of making recommendations to regulate them under HIPAA. In regulating electronic health information exchange networks such as Google and Microsoft, the Workgroup has already identified six factors ranging from prevention of unauthorized access of the health care data to the purposes for which the health care data can be used. However, it will probably be years before such regulations take effect.

Yet, Google does not claim that it is exempt from regulation for its privacy policies. On the contrary, Google agrees that it is subject to section 5 of the Federal Trade Commission (“FTC”) Act. While the OCR responds to thousands of complaints every year, the FTC’s settlements are more public and its punishments are probably more severe. So far this year, the FTC settled with 5 companies for breach of privacy policies, including retailer TJ Maxx, publisher Reed Elsevier, and online advertiser ValueClick. Almost all FTC settlements include biennial security audits by independent third parties for 10 or 20 years following the settlement. Some include civil penalties. In 2006, the FTC settled with ChoicePoint for $10 million in civil penalties and $5 million in consumer redress. Such settlements tend to affect a company’s stock prices in the short run and hurt their brand images. Google is certainly aware of the consequences of a security breach at Google Health.

Google has a healthy competitor to Microsoft’s HealthVault in Google Health. However, both business models appear to be ahead of the legal regulations in this area of health privacy. Moving health records online will certainly benefit patients, healthcare providers, and companies such as Google and Microsoft—so long as all the parties involved understand and fulfill their responsibilities.

Ohio Supreme Court Prepares to Adopt Electronic Discovery Rules

2008-05-13T12:20:00.003-04:00

By Dino Tsibouris & Mehmet Munur

The Ohio Supreme Court is finalizing Proposed Amendments to the Rules of Civil Procedure that include amendments related to electronic discovery. The comment period for the proposed amendments ended on March 4, 2008. The commission responsible for the rules had until May 1st to review and make changes to the proposed amendments. They have not. Therefore, the proposed amendments should take effect on July 1, 2008—unless the General Assembly adopts a concurrent resolution of disapproval. Though the Ohio Rules are very similar to the Federal Rules, the Ohio Rules differ to accommodate the differences in practical application.

Under proposed Ohio Rule 26, a judge may schedule a pretrial conference related to electronically stored information, while such a pretrial conference is required under the Federal Rules. Also, proposed Rule 26 clarifies the scope of discovery to include electronically stored information and limits it to cases where the information is reasonably accessible and its production not unduly burdensome or expensive. Proposed Rule 37 provides factors that are not provided in the Federal Rules that a judge should consider in determining sanctions as a result of routine, good faith operation of an electronic information system. Some of these factors are 1) whether and when the obligation to preserve the information is triggered, 2) whether the party intervened in a timely fashion to prevent the loss of information, and 3) whether the party took steps to comply with any court pr party agreement requiring the preservation of specific information.

You may find the proposed amendments here.

Senate Votes to Expand Student Loan Access

2008-05-01T09:35:00.003-04:00

By Dino Tsibouris

We represent a number of student lenders with respect to their online lending operations. In the past several months we have observed a number of unique events in the marketplace, ranging from the reduction of interest rates in federally-insured student loans that have made the business financially unattractive to banks, to disruptions in the bond markets that have impaired the ability of lenders to obtain funds to make student loans. Many lenders have suspended student lending activity temporarily, stopped making certain types of student loans, or completely left the business and focused on other opportunities.

Students are now faced with increasing tuition costs at the same time that their access to student loans has substantially declined. To address these concerns, the senate yesterday approved The Ensuring Continued Access to Student Loans Act of 2008 (similar to a bill that recently passed the house) to increase the amounts borrowers may obtain in federally-insured student loans. Both the senate and house bills would also allow the Department of Education to buy existing student loans from lenders to free up their capital and allow the lenders to make new loans. President Bush is expected to sign the new legislation. It is important to note that the proposed legislation aims to increase borrowers access to FFELP loans, but does not affect private student loans that are not guaranteed by the government.

Interestingly, Federal Reserve Chairman Bernanke was quoted in the Wall Street Journal today as having sent a letter to senators inviting them to revisit their earlier decision to cut interest rates on federally-insured loans to entice lenders to return to the marketplace. Time will tell.

In Case You Missed It: Judge Dismisses Cheating Husband’s Breach of Privacy Policy Case

2008-05-01T09:27:00.002-04:00

By Dino Tsibouris & Mehmet Munur

A federal judge in Texas recently dismissed a case (due to improper venue) in which the plaintiff alleged that the website’s breach of its privacy policy led to his wife finding out about his infidelity, which ultimately led to his divorce.

Plaintiff Leroy Greer called 1-800-FLOWERS (Company) and ordered flowers for his girlfriend. He was directed to 1-800-flowers.com when he inquired about the Company’s privacy policy. After the purchase, the Company sent a “thank you” note to his home, which prompted his wife to contact the Company for proof of purchase, a copy of the note attached to the flowers, and information about the husband’s girlfriend. Greer filed suit for $1.5 million arguing that the Company’s actions breached the privacy policy and caused him damages in connection with the divorce that followed.

In its defense, the Company argued that the forum selection clause of the website terms of use specifically assigned Nassau or Suffolk counties of New York exclusive jurisdiction. In response, Greer argued that because the transaction had taken place over the telephone, the forum selection clause was not applicable. In essence, Greer argued that his use of the website to view the privacy policy did not amount to full-fledged use to trigger the terms of use but that the phone transaction governed.

The court disagreed for two reasons. First, the privacy policy was a part of the terms of use which stated that accessing any part of the website legally bound the user to its terms. In other words, Greer was cherry-picking the parts of his agreement with the Company—wanting to enforce the privacy policy but not the terms of use. Second, the court ruled that Greer did not successfully show that the terms of use only applied to web transactions.

The court then summarily found that that the forum selection clause did not violate the Supreme Court’s four-factor forum selection test. After all, whether the Plaintiff actually read the terms of use was beside the point considering that the privacy policy contained a link to it, specifically mentioned it, and notified the user of its existence. Greer was going to have sue the Company in New York.

While Greer’s lawyer suggested that they would be filing the case in New York in the next couple of weeks, research has not revealed whether he actually has. For details related to Greer’s note to his girlfriend and his wife’s discovery, visit here. Visit here for the MSNBC story.
The case is Greer v. 1-800-Flowers.com, Inc., No. H-07-2543, 2007 U.S. Dist. LEXIS 73961 (S.D. Tex. Oct. 3, 2007).

Google Health Starts Pilot at the Cleveland Clinic

2008-04-11T16:21:00.005-04:00

By Dino Tsibouris & Mehmet Munur

On February 21, 2008, Google announced a partnership with the Cleveland Clinic to test its online personal health records management platform called Google Health. While Google is late to bring its platform to the party, its offering appears to go beyond Microsoft’s HealthVault offering. The goal of the project is “to give the patients the ability to interact with multiple physicians, healthcare service providers and pharmacies.” The pilot project will test the secure exchange of patient medical records.

Google claims that its offering is different than other online personal health records in four ways. First, Google developed its privacy policies using Google Health Advisory Council, made up of leaders in the healthcare industry—from CEOs of the Cleveland Clinic and the American Medical Association to the Executive Vice President of Risk Management at Wal-Mart. Second, Google Health is a platform and not just a website. This allows third party application developers to create programs for use on its application programming interface or API. For example, such third party applications may include reminders to take prescription medicine on personalized Google homepages. Third, storage of medical data on Google’s servers allows for portability. Lastly, Google Health will have a user focus through which users can easily manage their healthcare information or find health information about their health conditions. The service will allow users to find relevant and dynamically generated news, web search results, research articles, and discussion groups.

The Cleveland Clinic pilot project is supposed to last six to eight weeks and the platform is to become public some time after that. For this reason, no terms of use are available from Google to judge its commitment to privacy. Yet, Google appears to have changed its privacy policies in a positive way. First, Google changed its 30 year expiration period for its cookies to two years—but included automatic renewal.

Second, Google was the first major search engine to anonymize its server logs after 18 months instead of an 18 to 24 month period. Google deletes the last few digits of the IP address as well as some portion of the cookie information to anonymize the information contained these logs. According to Peter Fleischer, Google’s Global Privacy Counsel, Microsoft and Yahoo later followed this practice with 18 and 13 month retention plans, respectively. However, Google continues to retain these logs for as long as necessary. Third, Google has started offering videos through its YouTube Google Privacy Channel to explain its privacy policies without legalese and geek-speak.

All of these changes at Google appear to point towards Google’s corporate responsibility for privacy within its business framework of “creating[ing] [a] minimum global standard, built around international consensus, that is flexible, technologically neutral, and forward looking.” Obviously, creating such a framework would be beneficial for Google’s business as it would make compliance much easier. Yet, cultural and legal differences are likely to make this goal hard to achieve.

On the other hand, Google must have a business purpose for entering the health records management field. After Google CEO Eric Schmidt’s keynote speech at the HIMSS, a doctor asked what was in it for Google. He answered that there was not a “monetization path” for Google Health in the short term. However, he suggested that Google was able to create brand following through other services even though those ancillary services were not supported by advertisements—such as Google News. It appears that Google would like to inspire confidence in its service first and then create revenue through contextual advertisements if users explicitly consent. It is at this juncture that privacy advocates would have the most difficulty with Google Health.

Eric Schmidt suggested that this service Google Health Starts Pilot Project at the Cleveland Clinic

On February 21, 2008, Google announced a partnership with the Cleveland Clinic to test its online personal health records management platform called Google Health. While Google is late to bring its platform to the party, its offering appears to go beyond Microsoft’s HealthVault offering. The goal of the project is “to give the patients the ability to interact with multiple physicians, healthcare service providers and pharmacies.” The pilot project will test the secure exchange of patient medical records.

Google claims that its offering is different than other online personal health records in four ways. First, Google developed its privacy policies using Google Health Advisory Council, made up of leaders in the healthcare industry—from CEOs of the Cleveland Clinic and the American Medical Association to the Executive Vice President of Risk Management at Wal-Mart. Second, Google Health is a platform and not just a website. This allows third party application developers to create programs for use on its application programming interface or API. For example, such third party applications may include reminders to take prescription medicine on personalized Google homepages. Third, storage of medical data on Google’s servers allows for portability. Lastly, Google Health will have a user focus through which users can easily manage their healthcare information or find health information about their health conditions. The service will allow users to find relevant and dynamically generated news, web search results, research articles, and discussion groups.

The Cleveland Clinic pilot project is supposed to last six to eight weeks and the platform is to become public some time after that. For this reason, no terms of use are available from Google to judge its commitment to privacy. Yet, Google appears to have changed its privacy policies in a positive way. First, Google changed its 30 year expiration period for its cookies to two years—but included automatic renewal.

Second, Google was the first major search engine to anonymize its server logs after 18 months instead of an 18 to 24 month period. Google deletes the last few digits of the IP address as well as some portion of the cookie information to anonymize the information contained these logs. According to Peter Fleischer, Google’s Global Privacy Counsel, Microsoft and Yahoo later followed this practice with 18 and 13 month retention plans, respectively. However, Google continues to retain these logs for as long as necessary. Third, Google has started offering videos through its YouTube Google Privacy Channel to explain its privacy policies without legalese and geek-speak.

All of these changes at Google appear to point towards Google’s corporate responsibility for privacy within its business framework of “creating[ing] [a] minimum global standard, built around international consensus, that is flexible, technologically neutral, and forward looking.” Obviously, creating such a framework would be beneficial for Google’s business as it would make compliance much easier. Yet, cultural and legal differences are likely to make this goal hard to achieve.

On the other hand, Google must have a business purpose for entering the health records management field. After Google CEO Eric Schmidt’s keynote speech at the HIMSS, a doctor asked what was in it for Google. He answered that there was not a “monetization path” for Google Health in the short term. However, he suggested that Google was able to create brand following through other services even though those ancillary services were not supported by advertisements—such as Google News. It appears that Google would like to inspire confidence in its service first and then create revenue through contextual advertisements if users explicitly consent. It is at this juncture that privacy advocates would have the most difficulty with Google Health.

Eric Schmidt suggested that this service was unlikely to take off or reach market saturation in a short time but that in the long run it makes sense because such a large part of online searches involve health topics. Google Health and Microsoft HealthVault appear to be steps in the right direction; however, it remains to be seen how these services will affect individual privacy and how corporations and legislators will respond to those concerns.

You can find a blog post and screens from Google Health at the Official Google Blog here. You can find Eric Schmidt’s keynote speech at the Healthcare Information and Management Systems Society Annual Conference in Orlando on February 28, 2008 here.was unlikely to take off or reach market saturation in a short time but that in the long run it makes sense because such a large part of online searches involve health topics. Google Health and Microsoft HealthVault appear to be steps in the right direction; however, it remains to be seen how these services will affect individual privacy and how corporations and legislators will respond to those concerns.

You can find a blog post and screens from Google Health at the Official Google Blog here. You can find Eric Schmidt’s keynote speech at the Healthcare Information and Management Systems Society Annual Conference in Orlando on February 28, 2008 here.

Supermarket Chain Falls Victim to Security Breach

2008-03-18T15:47:00.003-04:00

By Dino Tsibouris & Mehmet Munur

On Monday March 17, 2008, Hannaford, an East Coast supermarket chain, announced that it fell victim to a security breach. The security breach has so far resulted in 1,800 actual cases of fraud.

Hannaford announced that the breach affected 4.2 million unique account numbers during the card authorization process. Hannaford first noticed the breach on February 27 and contained it on March 10. Hannaford, VISA, MasterCard, and the U.S. Secret Service have not released much information regarding the security breach due to the ongoing nature of the investigation. However, no personal data such as names, addresses, or telephone numbers were revealed during the breach.

It is possible that hackers breached Hannaford’s security similar to how hackers breached TJ Maxx’s security in 2006. TJ Maxx employed an outdated and easy to break encryption scheme called WEP to secure its wireless networks. Hackers breached a TJ Maxx store’s wireless network near St. Paul, MN using a laptop and a directional antenna. They then used this data to compromise TJ Maxx’s central customer database at its Framingham, MA headquarters. The hackers obtained many millions of credit card numbers and some personally identifying information such as driver’s license numbers and social security numbers.

Hannaford’s security breach pales in comparison to the security breach at TJ Maxx, which may have affected 100 million customers. TJ Maxx has settled with VISA and the card issuing banks over its security breach for $82 million. TJ Maxx has set aside a reserve fund of $107 million for payments and legal expenses. Though the FTC has been investigating TJ Maxx, it has not yet announced a settlement. FTC may levy fines against TJ Maxx since that breach was the largest security breach to date.

While the FTC has only settled 17 cases to date relating to data security practices by companies handling personal information, it has settled 2 so far in 2008. It appears that FTC will settle more cases related to security breaches this year.

Settlement of Lawsuit over Email Upheld

2008-03-17T11:28:00.001-04:00

By: Dino Tsibouris & Mehmet Munur

A Massachusetts court of appeals recently held that Amazon was bound to a settlement that was conducted over email to dismiss a case against it and noted that the email exchange created “a present agreement awaiting a later document.”

The litigation that led to the email settlement arose from Amazon’s investment in Basis Technology, a software company focusing on “extracting meaningful intelligence from multilingual text.” In September 1999, Amazon entered a technical services agreement with Basis to help Amazon create an electronic commerce system in Japan. In December 1999, Amazon purchased 1.6 million shares of preferred stock in Basis with a common stock conversion provision with a ratio of one-to-one and anti-dilution rights. In April 2001, Amazon agreed to a recapitalization that increased its conversion rights to two-to-one (one share of preferred stock to two shares of common stock). In March 2004, the Basis Board of Directors distributed a memorandum acknowledging the issuance of almost half a million shares of preferred stock to In-Q-Tel, the venture capital arm of the Central Intelligence Agency. Amazon received notice of this issuance but did not consent.

In the meantime, in May 2003, Basis had commenced a lawsuit against Amazon for breach of fiduciary duty. In March 2005, counsel for Basis and Amazon reached a preliminary settlement through email. Basis counsel sent an email memorializing the discussions of that evening with 6 provisions that showed general agreement on the main points but omitting most of the details that would be drafted later. One of the provisions required Amazon to convert its preferred stock to common stock under the 1999 share purchase agreement. Basis counsel also asked to be contacted the next morning, before the two parties reported the settlement to the judge, in the event the Amazon counsel disagreed. The next morning, counsel for Amazon replied to the email with one word, “correct.” The trial judge ended the trial and entered an order for a settlement between the parties, pending the detailed provisions.

Several days later, Amazon and Basis reached a deadlock over the conversion ratio. Basis argued that the conversion rate should be two-to-one. Amazon argued that the anti-dilution provisions should result in a ratio of more than 2.1-to-one due to the issuance of shares of preferred stock to In-Q-Tel. Amazon concluded that this difference would result in a loss of quarter of a million dollars and reduction in ownership stake from 10% to 8.5%. When the parties could not resolve this dispute, after extensive hearings and examinations, the court entered a judgment enforcing the settlement agreement the parties had reached during their email exchange in March 2005.

On appeal, Amazon argued that the emails did not create an unambiguous agreement between the parties and that Amazon did not intend to be bound. After reviewing the emails, the appeals court ruled that the parties had reached a settlement on the essential business terms when Amazon counsel “concisely responded, ‘correct.’” The court, citing a 1987 decision, stated that “the parties have agreed upon all material terms, [therefore] it maybe inferred that the purpose of a final document which the parties agree to execute is to serve as a polished memorandum of an already binding contract.” Therefore, solely agreeing to the essential terms of a contract over email does not change the principles of contract formation.

The decision of both the trial court and the appeals court is not surprising for two reasons. First, Amazon executives appear to have wanted to get out of an unfavorable settlement by Amazon counsel after it was already made. Second, an email that manifests the intention to be bound by a sufficiently definite agreement should be treated no different than a similar writing in a different medium.

This case compares well with CSX Transp., Inc. v. Recovery Express, Inc., 415 F. Supp. 2d 6 (D. Mass. 2006). There, CSX received an email from a person expressing interest in purchasing railcars as scrap. Relying only on the domain name on the email address, and without checking to make sure that the person worked for that corporation, CSX sold the railcars to the email sender. When the check written by the purchaser bounced, CSX sued the company holding the domain name of the email address—Recovery Express. The court concluded that the use of the email address by the railcar purchaser did not create apparent authority to act as Recovery Express’ agent. Though the CSX employee conducting business over email was not an attorney, it appears that he fell in the same trap that Amazon counsel did when he conducted a settlement over email.

The case is Basis Tech. Corp. v. Amazon.com Inc., No. 06-1048 (Mass. App.Ct., Jan. 7, 2008).

Tsibouris Law Blog Featured in Columbus Business First

2008-03-17T11:25:00.002-04:00

Tsibouris & Associates Law Blog was recently featured in Columbus Business First article on Columbus law firm blogs. The article discusses the burgeoning law firm blog scene in Columbus, Ohio. To read more, please click here.

NY AG Cuomo Announces Code of Conduct for Private Student Loan Programs

2007-12-19T08:36:00.000-05:00

By: Dino Tsibouris and Mehmet Munur

New York Attorney General Andrew M. Cuomo reached a settlement with University Financial Services (UFS), a private student loan consolidation service and announced a Direct Marketing Code of Conduct that would apply to student loans marketed directly to students. This represents a new regulatory approach. The proposed code of conduct:

(1) Prohibits lenders from using misleading tactics such as using insignia to appear to be a part of the federal government;

(2) Prohibits lenders from paying students to steer their peers to lenders;

(3) Requires submitting uniform disclosures to students at three different stages of the loan application process;

(4) Requires lenders to advise students to exhaust federal loan options before using private loans;

(5) Prohibits lenders from using gift cards or similar items to entice students;

(6) Prohibits lenders from selling or disclosing personal information about the borrower unless the lender clearly and conspicuously discloses its intent to do so in a privacy policy;

(7) Requires lenders to disclose whether they intend to resell the student loans; and

(8) Prohibits lenders from levying early payment penalties

The settlement requires UFS to end arrangements with 63 colleges to market UFS’s consolidation loan services. UFS also agreed to publish advertisements advising students to be cautious when shopping for loans. AG Cuomo criticized some private lenders for co-branding their products with university mascots to appear as a university’s financial aid services.

AG Cuomo’s announcement mirrors some of the concerns that the NY legislature and the United States Congress raised. NY recently passed the Student Lending Accountability, Transparency and Enforcement Act while Senator Dodd (D-CT) introduced the Private Student Loan Transparency and Improvement Act of 2007 in June.

Lenders who offer loans directly to students should see this as the first of what may be a series of similar regulatory efforts aimed at student lenders outside the FFELP program or marketed through schools.

Microsoft Health Vault

2007-12-10T14:15:00.003-05:00

By: Dino Tsibouris & Mehmet Munur

Microsoft recently launched Health Vault promises benefits in healthcare information storage and sharing online but raises concerns on privacy of this information. Health Vault is Microsoft’s “new personal health platform that lets you gather, store, and share health information online.” Service users need a Windows Live ID (previously . NET Passport) to use the service. Once users create both a sufficiently safe username and a strong password, they can enter data from health and wellness devices, or upload documents to their vault. Users can then share this information with other Windows Live ID users, such as doctors and health care professionals.

Google also has a similar website entitled Google Health that is similar to Microsoft’s consumer oriented approach to health information. While Google’s service will probably not be introduced until 2008, both companies’ focus on this field is a result of current trends. In 2007, 52 percent of adults in the US searched the web for health information compared to 29 percent in 2001. More and more, patients are confronting their health care providers with information gathered from websites such as WebMD. Both Google and Microsoft hope to leverage their expertise in web search functionality with personal health information storage and sharing.

Consolidating healthcare information online can offer many benefits to a patient as well as the doctors. Online storage reduces the risk of data loss and enables access to data regardless of where the patient resides. However, giving patients full control of their health records may mean that patients can selectively disclose healthcare information.

On the other hand, both Google and Microsoft are entering this industry to generate advertisement or software sale revenues, which creates privacy concerns. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 governs the security of personal health information. While Microsoft is aware that HIPAA may apply to it, it is not yet aware of extent of that HIPAA applies to Health Vault.

Microsoft’s Health Vault privacy statement addresses some privacy concerns while it does not specifically address HIPAA regulations. First, the privacy statement asserts that third parties, such as companies Microsoft hires to answer customer service questions, have access to personal information such as IP addresses and email addresses. However, Microsoft also states that these third party companies are required to maintain confidentiality. Second, Microsoft states that this information “may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities.” Third, the statement asserts that “aggregated information from the Service for marketing” may be disclosed. While, this aggregated information is not associated with any individual account, it may be used for marketing after an “opt-in consent” from the user. Finally, the privacy policy specifically addresses cookie use, web-beacon use, and encryption using HTTPS. While these assurances are definitely in the right direction, Microsoft will certainly want to assure compliance with HIPAA’s privacy and security rules.

Considering that Google’s use of cookies has been under the spotlight before, we are looking forward to review Google’s approach to both the privacy and security of personal health information.

Court Rules That Cease and Desist Letter Confirms Notice of Website Terms of Use

2007-10-29T16:16:00.001-04:00

Written by: Dino Tsibouris and Mehmet Munur

A federal trial court in Texas held that cease and desist letters explaining infringing conduct created knowledge of website terms of use and further use of the website after this knowledge was a breach of contract. Therefore, a corporation wishing to stop another party from violating its website terms of use should consider sending a cease and desist letter before litigation to enhance their position in trial.

Southwest Airlines is a Dallas based airline carrier that subscribes to a first come, first served seating policy. Southwest divides the plane into three sections—A, B, and C— with class A being the most in demand. Southwest allows its customers to check in at www.southwest.com within 24 hours of the flight, which dramatically increases their chances being awarded the coveted A class.

On the other hand, BoardFirst assists customers with getting class A seating at Southwest flights. A Southwest ticket holder can supply BoardFirst with his name, flight information, credit card number, and make BoardFirst his agent to obtain class A seating for a fee of $5. Then, BoardFirst’s employees log onto the Southwest website at the appropriate time, obtain a pass, and allow customers to print their boarding pass at the airport. BoardFirst has been in operation since 2005 and serves less than 100 customers per day.

In court, Southwest argued that BoardFirst’s circumvention of Southwest’s first come, first served policy is a breach of contract. The terms of this contract were posted on Southwest’s website under a link titled “Terms and Conditions.” These terms specifically prohibited commercial use of the Southwest’s website—unless the user was an approved travel agent. Furthermore, Southwest specifically prohibited the services that BoardFirst provided, stating: “third parties may not use the Southwest web sites for the purpose of checking Customers in online or attempting to obtain for them a boarding pass in any certain boarding group.”

Clearly, if Southwest could prove that there was a contract between Southwest and BoardFirst, then it should be entitled to relief. In order for a contract to exist, parties must mutually agree to its terms, either through spoken or written terms or actions. Southwest’s website terms of use—in plain and very common terms—stated that “use of the Southwest web sites and our Company Information is subject to these terms and conditions, and by using our web site, you agree to these terms and conditions.” Therefore, Southwest argued that BoardFirst was aware of the website terms of use, and agreed to its conditions by using the website.

In similar circumstances, defendants have argued that they had no knowledge of these terms and that the small hyperlink at the bottom of the website gave insufficient notice. However, BoardFirst did not raise these arguments because Southwest sent two cease and desist letters before starting this lawsuit. The court held that a contract between BoardFirst and Southwest formed at least as early as when BoardFirst received the first cease and desist letter and then continued the use of Southwest’s website.

Southwest then had to prove breach of contract and damages to prevail in this lawsuit. The court held that BoardFirst breached this contract because the activities were specifically prohibited by the website terms of use. Southwest’s damages were difficult to calculate, but nevertheless tangible. Southwest argued that the customers that paid BoardFirst did not visit Southwest’s website, where they would have viewed advertisements and possibly made hotel or rental car reservations. The difficulty of proving these damages; however, allowed Southwest to get an injunction stopping BoardFirst’s breaching activities.

The case is interesting because the court correctly compared BoardFirst’s activities to landmark terms of use cases to come to the conclusion that BoardFirst’s activities formed a contract. While the case certainly reaches the correct conclusions, it does so a conservative fashion. One could argue—as Southwest did—that a contract between the parties existed long before the cease and desist letters, as early as BoardFirst’s first use of the Southwest website in early 2005. The court’s willingness to take the easy road to enforce the contract between the parties demonstrates at least one lesson. Corporations wishing to enforce their website terms of use are encouraged to send at least one cease and desist letter before litigation.

The case is Southwest Airlines Co., v. BoardFirst, L.L.C., No. 3: 06-CV-0891-B (N.D. Tex., Sept. 12, 2007).

Best Lawyers in America - 2008

2007-10-22T12:02:00.001-04:00

Dino Tsibouris of Tsibouris & Associates, LLC was recently selected to be included in the 2008 edition of The Best Lawyers in America in the specialty of Information Technology Law. The Best Lawyers in America is a publication of the most respected attorneys in their fields, which has been known to be a very valuable referral list of attorneys in practice. Inclusion in Best Lawyers is determined by more than 1.8 million evaluations and votes cast by the top attorneys in the country. To read more about the selection process, click here.