©2006 Foley & Lardner LLP
Understanding Privacy and Security Litigation
Michael P. McCloskey Andrew B. SerwinPartner, Securities Litigation Partner, IP Litigation402 West Broadway 402 West BroadwaySuite 2100 Suite 2100San Diego, CA 92101 San Diego, CA 92101Telephone: 619.685.6409 Telephone: 619.685.6428 Email: [email protected] Email: [email protected]
©2006 Foley & Lardner LLP
Privacy General Principles:
– Notice– Choice– Onward Transfer– Access– Security– Data Integrity– Enforcement
©2006 Foley & Lardner LLP
Privacy Ultimately Four Issues:
– What information do you collect– What do you do with the information– When can’t you disclose it– When must you disclose it
©2006 Foley & Lardner LLP
Federal Privacy Statutes Children’s Online Privacy Protection
Act (COPPA); Gramm-Leach-Bliley (financial); Electronic Communications Privacy
Act; Health Insurance Portability and
Accountability Act (medical); and Others (FCRA, FACTA) Right to Financial Privacy Act
©2006 Foley & Lardner LLP
COPPA (15 U.S.C. § 6501, et seq. 16 C.F.R. § 312 et seq.)
Restricts the collection of information from children 12 and under by “operators” of:– commercial websites that are directed to children 12
and under that collect personal information from children;
– general websites that knowingly collect personal information from children 12 and under; and
– general websites that have a separate children’s area and that collect personal information from children 12 and under.
Does not apply to ISPs in most circumstances
©2006 Foley & Lardner LLP
COPPA FTC is very active with COPPA issues
– Time out cookies– “Bounce” issues– From v. about– Age Field
The FTC just renewed the COPPA rules
©2006 Foley & Lardner LLP
Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.)
There are two portions of the ECPA– The Wiretap Act; and– The Stored Communications Act
This is a temporal distinction
©2006 Foley & Lardner LLP
Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.)
Wiretap Act and Councilman.– Prohibits “interception” of “electronic
communications”. "electronic communication" "any transfer of signs,
signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photooptical system that affects interstate or foreign commerce,"
– Does not include electronic storage as does the definition of “wire communications” or the storage definition of the Stored Communications Act.
©2006 Foley & Lardner LLP
Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.)
Applies mostly for businesses in the employee context.
Two potential exceptions:– protect the provider, another provider, or a
user, from fraudulent, unlawful or abusive use of such service; or
– a person employed or authorized, or whose facilities are used, to forward such communication to its destination
©2006 Foley & Lardner LLP
State Employee Email Monitoring Laws
Connecticut– Requires notice and posting of notice of the
employer’s monitoring policies Delaware
– Requires that notice be given every day to the employee
Certain exceptions apply for investigations Civil penalties are available Fischer v. Mt. Olive Lutheran Church
©2006 Foley & Lardner LLP
Federal Disclosure Statutes Communications Assistance for Law
Enforcement; and The Patriot Act The DMCA
©2006 Foley & Lardner LLP
The FTC and Privacy FTC has an announced privacy agenda
– Stepping up enforcement of Spam laws– Increasing assistance to victims of identity
theft– Enforcing company’s privacy promises is also a
focal point of the FTC’s agenda– Enforcing federal laws
Additional guidance is available via consent orders posted on the FTC website
©2006 Foley & Lardner LLP
The FTC and Privacy Tower Records
– Claimed to have reasonable security in shopping cart area
– Had a security issue that permitted customer information to be revealed
CartManager International– Third Party provider misrepresented
BJ’s Electronics– Inadequate data security on wireless networks
with credit card information
©2006 Foley & Lardner LLP
The FTC and Privacy Sunbelt Lending Services
– Violation of the Safeguard Rule, including for the failure to assess risks and implement safeguards to control these risks, train and oversee employees, and monitor the network for vulnerabilities
DSW ChoicePoint CardSystems, Inc
– Inadequate data security was an unfair practice
©2006 Foley & Lardner LLP
Pretexting Covered by GLB. Also prohibited under a number of
state and federal laws.
©2006 Foley & Lardner LLP
What is Pretexting? Obtaining certain forms of
information under false pretenses. It can be improper depending upon
the type of data, the type of person seeking it, and the purpose of the request.
©2006 Foley & Lardner LLP
Situations where pretexting has been used to obtain information
– Disability claims (malingering)– Collection cases/background checks– Investigative/celebrity reporting– “Non-compete” investigations– To find witnesses, research alibis– Finance/accounting fraud allegations– Investigating falsification of records– Misappropriation of trade secrets– Misuse/theft of corporate assets– Derivative claims– Competitive intelligence– Litigation related investigations– To detect ongoing violations of law
©2006 Foley & Lardner LLP
Why would anyone pretext?– Difficult to discover information by other means– Subpoena/discovery power is unavailable– Legitimate information brokers have “dried up” – Information obtained by pretext is widely available
on the internet as “research” for a fee– Disgruntled employees with access can be bribed– Information brokers contend method is not illegal,
or an “investigative” or “prosecutorial” exception – Anonymity of source may lend false sense of
legitimacy– Avoids having to close investigations for lack of
proof– Deception gives criminals edge– Lack of enforcement
©2006 Foley & Lardner LLP
Risks of Improper Pretexting
Criminal, civil penalties, including aiding and abetting– Hewlett Packard case
Potential violations of attorney code of professional responsibility – potential disciplinary consequences– False statement of material fact or law to third person– Conduct involving dishonesty, fraud, deceit or
misrepresentation– Failure to supervise – Counseling client to commit a crime or fraud– Misleading unrepresented persons– “Reflects adversely” on lawyer’s “fitness to practice”
Civil liability for investigator’s tortious conduct Suppression of evidence, other sanctions Adverse publicity
©2006 Foley & Lardner LLP
Pretexting and Investigations The type of information sought can
effect your ability to get it. Where the information is coming
from matters as well.
©2006 Foley & Lardner LLP
The Law of Pretexting GLB Wire fraud The Federal Trade Commission
Act/Telecommunications Act of 1996 The Computer Fraud and Abuse Act State identity theft laws State restrictions on phone records Common law fraud
©2006 Foley & Lardner LLP
Pretexting and State Law Many companies are subject to many
states’ jurisdiction and consideration of state law is important.
By seeking information from providers in many cases the information sought may be subject to state protection
It is not always clear what law applies to your investigation.
©2006 Foley & Lardner LLP
California Law California
– Recently adopted SB 202.– It applies to telephone records.– Need fraudulent intent for obtaining
records.
©2006 Foley & Lardner LLP
Most States Have Identity Theft Laws
Alaska Arizona Arkansas California Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine
Maryland Massachusetts Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon
Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington Washington D.C. West Virginia Wisconsin Wyoming
©2006 Foley & Lardner LLP
State Public Utility Restrictions on Telephone Records California Public Utilities Code
Section 2891. California Code of Civil Procedure
Section 1985.3
©2006 Foley & Lardner LLP
What You Can Do to Prevent Problems and Run a Proper Investigation. Find out what state and federal laws are
applicable to your company/industry. Check out your investigators. Consider whether it is better to run investigations
internally or externally. Consider whether you really need the information
you are seeking. Consider including policies regarding information
gathering in litigation or pre-litigation matters. Consider inserting contractual language in
investigator’s agreements.
©2006 Foley & Lardner LLP
What You Can Do to Prevent Problems and Run a Proper Investigation.
Restrict the gathering of certain types of information under false pretenses.
Limit the scope of your investigation to the purpose of the investigation.
Make sure you have a monitoring policy in place.
Consider whether you have authority to gather information from an employees’ computer or network.
©2006 Foley & Lardner LLP
International Issues SOX
– Whistleblower issues and foreign data protection regimes
Employee issues
©2006 Foley & Lardner LLP
California’s Online Privacy Protection Act (Cal. Bus. & Prof. Code § 22579)
Applies if “personal information” is collected through the website
A website must then:– Have a privacy policy that discloses the type of
information collected;– Describes the process, if any, for consumers to change
their information;– Describe the process for consumers to receive notice of
material changes to the policy; and– Identify its effective date
Format requirements
©2006 Foley & Lardner LLP
Notice of Security Breach Laws(Cal. Civ. Code §1798.82)
Triggered if there is a breach of a data security; and
A consumer’s personal information is implicated
Applies even if there is simply a reasonable belief that there was an acquisition of data
Law enforcement concerns Direct notice typically required, though
substitute notice is permitted in certain instances
©2006 Foley & Lardner LLP
Notice of Security Breach Laws Issues to watch out for
– What good is encryption?– Electronic v. non-electronic
North Carolina’s law applies to non-electronic
– Is there a general duty?– Who else must notice be given to?– What form of notice?– Is notice required if there is no likelihood of
identity theft?
©2006 Foley & Lardner LLP
Notice of Security Breach Issues 33 other states (and the OCC) have
enacted laws or rules– Including: Arkansas; Connecticut;
Delaware; Florida; Georgia; Illinois; Indiana; Louisiana; Maine; Minnesota; Montana; Nevada; New Jersey; New York; North Carolina; North Dakota; Rhode Island; Tennessee; Texas and Washington
Ohio Attorney General action
©2006 Foley & Lardner LLP
Restrictions Upon the Collection of SSNs (Cal. Civ Code § 1798.85) Companies cannot:
– Post or publicly display SSNs;– Print SSNs on identification cards;– Require people to transmit SSNs over the
internet unless it is encrypted or the connection is secure;
– Use a SSN as a login unless a password is also required; or
– Print it on materials unless legally required
©2006 Foley & Lardner LLP
Social Security Number Laws Alabama Arizona Arkansas California Colorado Connecticut Delaware Florida Illinois Indiana Louisiana Maryland Michigan Minnesota Missouri
Nevada New Jersey New Mexico North Carolina Oklahoma Oregon Rhode Island South Dakota Tennessee Texas Utah Vermont Virginia Washington Wisconsin
©2006 Foley & Lardner LLP
California’s Data Security Law (AB 1950 Cal. Civ Code § 1798.81.5)
Broad law that applies across the board, even to non-electronic data
The law is triggered if a business owns unencrypted personal data regarding a California resident
Businesses and third-parties who receive data must have “reasonable” security measures and procedures
Sliding scale
©2006 Foley & Lardner LLP
California’s Data Destruction Law Consumer records must be destroyed if they
contain personal information, when the records are no longer needed
This obligation applies whether the record is in electronic form, or not
Destruction is accomplished through:– shredding; – erasing, or – otherwise modifying the personal information in those
records to make it unreadable or undecipherable through any means
©2006 Foley & Lardner LLP
Data Security/Destruction Laws SOX FACT Act Arkansas California Colorado Indiana Minnesota Montana Nevada
New Jersey New York North Carolina Rhode Island Tennessee Texas Utah Vermont Washington
©2006 Foley & Lardner LLP
Spyware and Phishing
12 states have enacted laws (mostly this year) on spyware or phishing.
What is spyware?– “software that gathers information about a
computer’s use and transmits that information to someone else, appropriates the computer’s resources, or alters the functions of existing applications on the computer, all without the computer user’s knowledge or consent.” FTC v. Seismic Entertainment Productions, Inc., 2004 WL 2403124.
©2006 Foley & Lardner LLP
Spyware, Phishing and Pharming What is the importance of these
issues to companies?– Implicates advertising.– Effects software update features.– Customer losses.– Business losses and network costs.– IP infringement.
©2006 Foley & Lardner LLP
Restrictions on Spyware What triggers a spyware law?
– Effecting a computer you do not own.– Engaging in some form of deceptive
conduct.
©2006 Foley & Lardner LLP
Restrictions on Spyware What are examples of deceptive or
improper acts.– Gathering certain forms of personally
identifiable information.– Changing a homepage setting.– Changing computer settings.– Blocking the installation of software.– Causing the installation of software.– Changing other Internet settings.– Assuming control of a computer.– Setting cookies?
©2006 Foley & Lardner LLP
Civil Actions for Spyware In many cases civil actions (apart
from statutory violations) face legal hurdles.
Kerrins v. Intermix– Disgorgement of profits not permitted
as a remedy.– Included California’s Little FTC Act, B&P
Section 17200.
©2006 Foley & Lardner LLP
Civil Actions for Spyware Restrictions on enforcement.
– Some states limit the categories of people that can bring an enforcement action.
Directly effected consumer. ISPs. The state. Trademark owner.
©2006 Foley & Lardner LLP
Phishing and Pharming Phishing is the use of email or other
means to imitate a legitimate company or business in order to obtain passwords or other sensitive information in order to commit theft or fraud.
Pharming is the use of an improper website in order to obtain information improperly.
©2006 Foley & Lardner LLP
Potential Enforcement for Phishing and Pharming. CFAA. Wire fraud. FTC Act. State FTC Acts. State phishing and identity theft
laws. IP lawsuits.
©2006 Foley & Lardner LLP
Privacy Litigation Airlines cases.
– Dyer v. Northwest Airlines Corporation, et al., 334 F.Supp.2d 1196 (D.N.D. 2004);
– In re American Airlines Privacy Litigation, 3:04-MD-1627-D (N.D.Tex. 2005).
Laptop case.– Guin v. Brazos Higher Educ. Service Corp., Inc.,
2006 WL 288483 (D.Minn. 2006). No standing/no damages.
– Bell v. Acxiom, 2006 WL 2850042 (E.D.Ark. 2006).
©2006 Foley & Lardner LLP
Privacy Takeaways Assess what information is being
collected Think through the types of data you
are collecting Determine what laws apply to your
company based upon the information it collects, where it does business and the identity of its customers
©2006 Foley & Lardner LLP
Privacy Takeaways Make sure that employees understand that they
do not have an expectation of privacy in their use of your e-mail and electronic systems.
Consider what security systems you have in place and what securities measures you are requiring third parties to have.
Consider restrictions upon the use of removable media.
Make sure your privacy policy makes the necessary disclosures.
©2006 Foley & Lardner LLP
Privacy Takeaways Reserve the right to modify your privacy policy Ensure that employees are aware of your policies Assess whether you have a responsibility to
report a data security incident Consider what security systems you have in place
and what securities measures you are requiring third parties to have
Determine if you are sending or receiving data to countries that have higher privacy and security standards
Top Related