Understanding Privacy and Security Litigation

©2006 Foley & Lardner LLP

Understanding Privacy and Security Litigation

Michael P. McCloskey Andrew B. SerwinPartner, Securities Litigation Partner, IP Litigation402 West Broadway 402 West BroadwaySuite 2100 Suite 2100San Diego, CA 92101 San Diego, CA 92101Telephone: 619.685.6409 Telephone: 619.685.6428 Email: [email protected] Email: [email protected]


Privacy General Principles:

– Notice– Choice– Onward Transfer– Access– Security– Data Integrity– Enforcement


Privacy Ultimately Four Issues:

– What information do you collect– What do you do with the information– When can’t you disclose it– When must you disclose it


Federal Privacy Statutes Children’s Online Privacy Protection

Act (COPPA); Gramm-Leach-Bliley (financial); Electronic Communications Privacy

Act; Health Insurance Portability and

Accountability Act (medical); and Others (FCRA, FACTA) Right to Financial Privacy Act


COPPA (15 U.S.C. § 6501, et seq. 16 C.F.R. § 312 et seq.)

Restricts the collection of information from children 12 and under by “operators” of:– commercial websites that are directed to children 12

and under that collect personal information from children;

– general websites that knowingly collect personal information from children 12 and under; and

– general websites that have a separate children’s area and that collect personal information from children 12 and under.

Does not apply to ISPs in most circumstances


COPPA FTC is very active with COPPA issues

– Time out cookies– “Bounce” issues– From v. about– Age Field

The FTC just renewed the COPPA rules


Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.)

There are two portions of the ECPA– The Wiretap Act; and– The Stored Communications Act

This is a temporal distinction



Wiretap Act and Councilman.– Prohibits “interception” of “electronic

communications”. "electronic communication" "any transfer of signs,

signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photooptical system that affects interstate or foreign commerce,"

– Does not include electronic storage as does the definition of “wire communications” or the storage definition of the Stored Communications Act.



Applies mostly for businesses in the employee context.

Two potential exceptions:– protect the provider, another provider, or a

user, from fraudulent, unlawful or abusive use of such service; or

– a person employed or authorized, or whose facilities are used, to forward such communication to its destination


State Employee Email Monitoring Laws

Connecticut– Requires notice and posting of notice of the

employer’s monitoring policies Delaware

– Requires that notice be given every day to the employee

Certain exceptions apply for investigations Civil penalties are available Fischer v. Mt. Olive Lutheran Church


Federal Disclosure Statutes Communications Assistance for Law

Enforcement; and The Patriot Act The DMCA


The FTC and Privacy FTC has an announced privacy agenda

– Stepping up enforcement of Spam laws– Increasing assistance to victims of identity

theft– Enforcing company’s privacy promises is also a

focal point of the FTC’s agenda– Enforcing federal laws

Additional guidance is available via consent orders posted on the FTC website


The FTC and Privacy Tower Records

– Claimed to have reasonable security in shopping cart area

– Had a security issue that permitted customer information to be revealed

CartManager International– Third Party provider misrepresented

BJ’s Electronics– Inadequate data security on wireless networks

with credit card information


The FTC and Privacy Sunbelt Lending Services

– Violation of the Safeguard Rule, including for the failure to assess risks and implement safeguards to control these risks, train and oversee employees, and monitor the network for vulnerabilities

DSW ChoicePoint CardSystems, Inc

– Inadequate data security was an unfair practice


Pretexting Covered by GLB. Also prohibited under a number of

state and federal laws.


What is Pretexting? Obtaining certain forms of

information under false pretenses. It can be improper depending upon

the type of data, the type of person seeking it, and the purpose of the request.


Situations where pretexting has been used to obtain information

– Disability claims (malingering)– Collection cases/background checks– Investigative/celebrity reporting– “Non-compete” investigations– To find witnesses, research alibis– Finance/accounting fraud allegations– Investigating falsification of records– Misappropriation of trade secrets– Misuse/theft of corporate assets– Derivative claims– Competitive intelligence– Litigation related investigations– To detect ongoing violations of law


Why would anyone pretext?– Difficult to discover information by other means– Subpoena/discovery power is unavailable– Legitimate information brokers have “dried up” – Information obtained by pretext is widely available

on the internet as “research” for a fee– Disgruntled employees with access can be bribed– Information brokers contend method is not illegal,

or an “investigative” or “prosecutorial” exception – Anonymity of source may lend false sense of

legitimacy– Avoids having to close investigations for lack of

proof– Deception gives criminals edge– Lack of enforcement


Risks of Improper Pretexting

Criminal, civil penalties, including aiding and abetting– Hewlett Packard case

Potential violations of attorney code of professional responsibility – potential disciplinary consequences– False statement of material fact or law to third person– Conduct involving dishonesty, fraud, deceit or

misrepresentation– Failure to supervise – Counseling client to commit a crime or fraud– Misleading unrepresented persons– “Reflects adversely” on lawyer’s “fitness to practice”

Civil liability for investigator’s tortious conduct Suppression of evidence, other sanctions Adverse publicity


Pretexting and Investigations The type of information sought can

effect your ability to get it. Where the information is coming

from matters as well.


The Law of Pretexting GLB Wire fraud The Federal Trade Commission

Act/Telecommunications Act of 1996 The Computer Fraud and Abuse Act State identity theft laws State restrictions on phone records Common law fraud


Pretexting and State Law Many companies are subject to many

states’ jurisdiction and consideration of state law is important.

By seeking information from providers in many cases the information sought may be subject to state protection

It is not always clear what law applies to your investigation.


California Law California

– Recently adopted SB 202.– It applies to telephone records.– Need fraudulent intent for obtaining

records.


Most States Have Identity Theft Laws

Alaska Arizona Arkansas California Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine

Maryland Massachusetts Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon

Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington Washington D.C. West Virginia Wisconsin Wyoming


State Public Utility Restrictions on Telephone Records California Public Utilities Code

Section 2891. California Code of Civil Procedure

Section 1985.3


What You Can Do to Prevent Problems and Run a Proper Investigation. Find out what state and federal laws are

applicable to your company/industry. Check out your investigators. Consider whether it is better to run investigations

internally or externally. Consider whether you really need the information

you are seeking. Consider including policies regarding information

gathering in litigation or pre-litigation matters. Consider inserting contractual language in

investigator’s agreements.


What You Can Do to Prevent Problems and Run a Proper Investigation.

Restrict the gathering of certain types of information under false pretenses.

Limit the scope of your investigation to the purpose of the investigation.

Make sure you have a monitoring policy in place.

Consider whether you have authority to gather information from an employees’ computer or network.


International Issues SOX

– Whistleblower issues and foreign data protection regimes

Employee issues


California’s Online Privacy Protection Act (Cal. Bus. & Prof. Code § 22579)

Applies if “personal information” is collected through the website

A website must then:– Have a privacy policy that discloses the type of

information collected;– Describes the process, if any, for consumers to change

their information;– Describe the process for consumers to receive notice of

material changes to the policy; and– Identify its effective date

Format requirements


Notice of Security Breach Laws(Cal. Civ. Code §1798.82)

Triggered if there is a breach of a data security; and

A consumer’s personal information is implicated

Applies even if there is simply a reasonable belief that there was an acquisition of data

Law enforcement concerns Direct notice typically required, though

substitute notice is permitted in certain instances


Notice of Security Breach Laws Issues to watch out for

– What good is encryption?– Electronic v. non-electronic

North Carolina’s law applies to non-electronic

– Is there a general duty?– Who else must notice be given to?– What form of notice?– Is notice required if there is no likelihood of

identity theft?


Notice of Security Breach Issues 33 other states (and the OCC) have

enacted laws or rules– Including: Arkansas; Connecticut;

Delaware; Florida; Georgia; Illinois; Indiana; Louisiana; Maine; Minnesota; Montana; Nevada; New Jersey; New York; North Carolina; North Dakota; Rhode Island; Tennessee; Texas and Washington

Ohio Attorney General action


Restrictions Upon the Collection of SSNs (Cal. Civ Code § 1798.85) Companies cannot:

– Post or publicly display SSNs;– Print SSNs on identification cards;– Require people to transmit SSNs over the

internet unless it is encrypted or the connection is secure;

– Use a SSN as a login unless a password is also required; or

– Print it on materials unless legally required


Social Security Number Laws Alabama Arizona Arkansas California Colorado Connecticut Delaware Florida Illinois Indiana Louisiana Maryland Michigan Minnesota Missouri

Nevada New Jersey New Mexico North Carolina Oklahoma Oregon Rhode Island South Dakota Tennessee Texas Utah Vermont Virginia Washington Wisconsin


California’s Data Security Law (AB 1950 Cal. Civ Code § 1798.81.5)

Broad law that applies across the board, even to non-electronic data

The law is triggered if a business owns unencrypted personal data regarding a California resident

Businesses and third-parties who receive data must have “reasonable” security measures and procedures

Sliding scale


California’s Data Destruction Law Consumer records must be destroyed if they

contain personal information, when the records are no longer needed

This obligation applies whether the record is in electronic form, or not

Destruction is accomplished through:– shredding; – erasing, or – otherwise modifying the personal information in those

records to make it unreadable or undecipherable through any means


Data Security/Destruction Laws SOX FACT Act Arkansas California Colorado Indiana Minnesota Montana Nevada

New Jersey New York North Carolina Rhode Island Tennessee Texas Utah Vermont Washington


Spyware and Phishing

12 states have enacted laws (mostly this year) on spyware or phishing.

What is spyware?– “software that gathers information about a

computer’s use and transmits that information to someone else, appropriates the computer’s resources, or alters the functions of existing applications on the computer, all without the computer user’s knowledge or consent.” FTC v. Seismic Entertainment Productions, Inc., 2004 WL 2403124.


Spyware and Phishing Spyware and the DMCA Recent issues


Spyware, Phishing and Pharming What is the importance of these

issues to companies?– Implicates advertising.– Effects software update features.– Customer losses.– Business losses and network costs.– IP infringement.


Restrictions on Spyware What triggers a spyware law?

– Effecting a computer you do not own.– Engaging in some form of deceptive

conduct.


Restrictions on Spyware What are examples of deceptive or

improper acts.– Gathering certain forms of personally

identifiable information.– Changing a homepage setting.– Changing computer settings.– Blocking the installation of software.– Causing the installation of software.– Changing other Internet settings.– Assuming control of a computer.– Setting cookies?


Civil Actions for Spyware In many cases civil actions (apart

from statutory violations) face legal hurdles.

Kerrins v. Intermix– Disgorgement of profits not permitted

as a remedy.– Included California’s Little FTC Act, B&P

Section 17200.


Civil Actions for Spyware Restrictions on enforcement.

– Some states limit the categories of people that can bring an enforcement action.

Directly effected consumer. ISPs. The state. Trademark owner.


Phishing and Pharming Phishing is the use of email or other

means to imitate a legitimate company or business in order to obtain passwords or other sensitive information in order to commit theft or fraud.

Pharming is the use of an improper website in order to obtain information improperly.


Potential Enforcement for Phishing and Pharming. CFAA. Wire fraud. FTC Act. State FTC Acts. State phishing and identity theft

laws. IP lawsuits.


Privacy Litigation Airlines cases.

– Dyer v. Northwest Airlines Corporation, et al., 334 F.Supp.2d 1196 (D.N.D. 2004);

– In re American Airlines Privacy Litigation, 3:04-MD-1627-D (N.D.Tex. 2005).

Laptop case.– Guin v. Brazos Higher Educ. Service Corp., Inc.,

2006 WL 288483 (D.Minn. 2006). No standing/no damages.

– Bell v. Acxiom, 2006 WL 2850042 (E.D.Ark. 2006).


Privacy Takeaways Assess what information is being

collected Think through the types of data you

are collecting Determine what laws apply to your

company based upon the information it collects, where it does business and the identity of its customers


Privacy Takeaways Make sure that employees understand that they

do not have an expectation of privacy in their use of your e-mail and electronic systems.

Consider what security systems you have in place and what securities measures you are requiring third parties to have.

Consider restrictions upon the use of removable media.

Make sure your privacy policy makes the necessary disclosures.


Privacy Takeaways Reserve the right to modify your privacy policy Ensure that employees are aware of your policies Assess whether you have a responsibility to

report a data security incident Consider what security systems you have in place

and what securities measures you are requiring third parties to have

Determine if you are sending or receiving data to countries that have higher privacy and security standards

Understanding Privacy and Security Litigation

Documents

Transcript of Understanding Privacy and Security Litigation