Planning to be in the Chicago area on June 4? Register to attend this interactive panel discussion regarding best practices for social media policies. The panelists multi-disciplinary perspective will include privacy, intellectual property and employment law issues related to the use of social media in the workplace.
For more information and to register, click here.
In a significant move, the Court of Justice of the European Union (CJEU) has ruled that the Data Retention Directive 2006/24/EC (Directive) is invalid. This decision is expected to have wide-reaching implications for privacy laws across the European Union.
On 8 April 2014, the CJEU held that the requirement imposed on internet service providers (ISP) and telecom companies to retain data for up to two years “entails a wide-ranging and particularly serious interference with [the] fundamental rights [to respect for private life and communications and to the protection of personal data] in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.”
The Directive
The Directive is a product of heightened security concerns in the aftermath of terrorist attacks around the world. It facilitated almost unqualified access by national authorities to the data collected by communications providers for the purpose of organised crime and terrorism prevention, investigation detection and prosecution. To enable this access, obligations were imposed on communications providers to retain certain data for between six months and two years.
The Ruling
Specifically, communications providers were required to retain traffic and location data as well as data necessary to identify users. It did not, however, permit the retention of communication content or of the information consulted by the user.
The CJEU found that the retained data revealed a phenomenal amount of information about individuals and their private lives. The data enabled the identification of persons with whom the user has communicated and by what means; the time and place of communication; and the frequency of communications with certain persons during a given period. From this data, a very clear picture could be formed of the private lives of users, including their daily habits, permanent or temporary places of residence, daily or other movement, activities carried out, social relationships and the social environments frequented.
The CJEU accepted the retention of data for use by national authorities for the legitimate objective of national security, however opined that the Directive went further than necessary to fulfil those objectives violating the proportionality principle.
It delineated five main concerns:
On April 10, 2014, Kentucky became the 47th state to enact breach notification legislation. Under the new law, companies that conduct business in Kentucky and hold consumer data of Kentucky residents will now be required to disclose data breaches involving the unauthorized acquisition of unencrypted computerized data of Kentucky residents. Companies must disclose the breach in the “most expedient time possible” and “without unreasonable delay” to any state resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The Kentucky law is similar to many other state breach notification laws. For example, the Kentucky law defines “personal information” as an individual’s first name or first initial and last name in combination with either their Social Security number; driver’s license number; or account, credit or debit card number in combination with any required security or access code. In addition, the legislation permits companies to provide notification in written or electronic form, through email, through major statewide media or by posting an alert on their website, and allows for the delay of notification if a law enforcement agency determines the action will impede its criminal investigation.
Notably, the law does not require notification to the state attorney general, but does require that notification be given to consumer reporting agencies and credit bureaus if the breach affects more than 1,000 individuals.
Now that Kentucky has a data breach notification law, just Alabama, New Mexico and South Dakota remain as the three states that still do not have a comprehensive notification law outside of the public sector.
“Heartbleed” has been all over the news, and companies have been scrambling to respond. What sounds like a nasty medical condition is actually a recently discovered flaw in popular encryption software called OpenSSL. It has been widely reported in the news outlets that approximately 60 percent of all web servers use OpenSSL. According to the Federal Trade Commission, the flaw can permit a hacker to unlock the encryption and “monitor all communication to and from a server—including usernames, passwords, and credit card information—or create a fake version of a trusted site that would fool browsers and users, alike.”
So how can companies stop the bleeding?
But what about the blood that’s already spilled?
After taking these steps to stop the bleeding by fixing OpenSSL flaws, a critical next step is for companies to conduct an assessment of data and actions previously thought to be encrypted.
Companies should consider evaluating with counsel how and when to communicate with customers and employees about changing log-in credentials and taking any other appropriate steps in light of the particular situation addressed by the company.
In addition, given the publicity and attention to this issue, customer service lines might see an increase in calls inquiring whether a company’s website is secure and whether log-in credentials should be changed. Convening the right internal resources to prepare clear, concise talking points will help those customer service teams convey accurate, consistent information in a way that minimizes harm to consumers and brand.
Even if companies are confident that their own sites have been fixed, they should consider whether employees may have used corporate log-in credentials on mobile devices or over connections, such as remote access VPN [...]
Continue Reading
A recent proposed settlement in Massachusetts may signal readiness on the part of retailers to end so-called “ZIP code” litigation. In 2011, customers of the arts and crafts retailer Michaels Stores Inc. filed a proposed class action in Massachusetts federal district court stemming from the company’s collection of customers’ ZIP codes during point of sale transactions. The complaint alleged that Michaels used the ZIP codes that it collected to acquire customers’ addresses and telephone numbers and then used that information for direct marketing purposes.
Last year, after the plaintiffs had filed their complaint, the Massachusetts Supreme Judicial Court held that under a 1991 Massachusetts law, ZIP codes are considered “personal identification information” and retailers are prohibited from collecting such information during credit card transactions. The court also gave plaintiffs an opening to overcome the sometimes difficult harm threshold for consumer class actions: it found that a retailer’s subsequent use of personal identification information for direct marketing purposes constituted sufficient harm to the consumer to subject the retailer to liability. The court’s holding left Michaels with few defenses under the statute, which states that merchants accepting credit cards shall not “write, cause to be written or require that a credit card holder write personal information, not required by the credit card issuer, on the credit card transaction form.”
The district court recently gave preliminary approval to a settlement of the claims against Michaels. The proposed settlement, totaling nearly $875,000, covers all customers from whom Michaels requested and recorded personal identification information in conjunction with a credit card or debit card transaction in a Massachusetts retail store after May 23, 2007. The settlement divides customers into two subclasses depending on how Michaels used the information it collected. The first sub-class includes approximately 15,000 customers for whom Michaels was able to obtain a mailing address using the ZIP codes collected. The second subclass, numbering approximately 4,300, includes customers whose addresses Michaels obtained using a source other than the collected ZIP codes.
Under the settlement, members of the two subclasses are to receive vouchers of $25 and $10, respectively, for total payments to the class of approximately $418,000. The proposed settlement also calls for Michaels to pay attorneys’ fees of up to $425,000. A final fairness hearing is set for May 20.
Whether the Michaels settlement will have an effect on other class action litigation is an open question. The language of the Massachusetts statute differs in key respects from similar laws of other states. For example, California’s Beverly Song Credit Card Act imposes liability only where the merchant requests or requires personal identification information “as a condition of accepting credit card payment.” This language in the California law has been used to defeat class certification on the basis that the customers’ beliefs as to whether providing personal identification information was a condition of using a credit card was a necessary element of liability that could not be decided on a class wide basis. It is unclear a similar argument could prevail under the [...]
Continue Reading
46 states plus Washington, D.C. have data breach notification laws. Alabama, Kentucky, New Mexico and South Dakota still do not have a comprehensive notification law outside of the public sector. That may change soon though, because the New Mexico House of Representatives unanimously passed a bill on February 17, 2014, that would require companies to notify state residents of a breach of their unencrypted personal information. The bill appears to resemble many existing state breach notification laws, and contains a number of exceptions under which companies would not be required to provide notice of a breach.
The definition of personal information is the standard definition we see in many state breach notification laws – defined as name plus another data element that could lead to identity theft or financial fraud: social security number; driver’s license number; government-issued ID; or account number, credit card number or debit card number, in combination with any required code or password that would permit access to a person’s financial account.
If the bill passes, New Mexico will join the handful of other states with specific timing provisions for notification—if the breach involves 1,000 or more residents, companies would be required to notify affected individuals within 45 days of discovering the breach, and the state attorney general (AG) within 14 days (like Vermont).
Companies can avoid notification to affected residents if there is no “significant risk of identity theft or fraud,” but when the incident involves 1,000 or more individuals, the company still must notify the state AG with a written explanation of its risk of harm analysis. Like many other states, the bill also contains a “deemed in compliance” provision stating that companies in compliance with the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act would be deemed to be in compliance with the proposed law.
At the federal level, there have been increased demands for Congress to establish a national data breach notification standard, and several bills have been introduced that would create such a standard. Most recently, on February 4, 2014, U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act, which seeks to establish a federal breach notification standard and impose minimum data security requirements for companies, like the approach taken in Massachusetts with 201 C.M.R. 17.00, et seq. We will be watching these bills closely and reporting on any further developments.
On February 11, 2014, the French data protection authority (CNIL) published Deliberation #2014-042 and expanded the list of issues that a whistleblowing program may permissibly receive and process under French privacy laws. Now, these programs also can be used to report employment discrimination and harassment, and health, hygiene, safety and environmental issues. This is a significant development under French privacy law because, up to this point, the Single Authorization No. 4 strictly limited the type of data that French subsidiaries and other companies operating in France could collect. In particular, companies only could receive reports concerning finance, accounting, banking, anti-corruption, and unfair competition. A program that was constructed to receive reports concerning employment discrimination or harassment, for example, was technically in breach of French data privacy laws. Under Deliberation #2014-042, this is no longer the case. For full coverage of these developments, please read: Whistleblowing and Data Privacy in France: A New Pragmatic Approach for Employment and Discrimination Claims.
As we have previously discussed, California Governor Brown signed into law amendments to the California Online Privacy Protection Act (CalOPPA), the 2004 law that requires commercial websites, mobile apps and digital service providers to “conspicuously” post a “privacy policy” if the site or service collects personally identifiable information about California residents. The amendments to CalOPPA add two new disclosure requirements for privacy policies required by CalOPPA:
Under amended CalOPPA, websites, mobile apps and digital service providers should have updated their privacy policies to include the new disclosure requirements by January 1, 2014. But, due to confusion about (among other things) what “Do Not Track” really means, many consumer-facing website operators and service providers in the digital and mobile space have not yet made the needed policy updates.
To learn more about CalOPPA and tips for complying with the new amendments, join Of Digital Interest’s editors Heather Egan Sussman and Julia Jacobson tomorrow (February 25th) at the 90-minute Track Me, Track Me Not: Complying with California’s Do Not Track Disclosure Requirements live webinar.
For details and to register, visit https://www.lorman.com/live-webinar/393528.
No doubt about it: the U.S. Federal Trade Commission (FTC) is serious about taking action against companies that misrepresent their U.S.-EU Safe Harbor certification status. On February 11, 2014, the FTC announced that children’s online entertainment company Fantage.com agreed to settle charges that it deceptively represented, through statements in its online privacy policy, that it held a current certification under the U.S.-EU Safe Harbor framework. The Fantage.com settlement follows on the heels of the FTC’s settlements (announced on January 21, 2014) with 12 companies that made representations about Safe Harbor compliance when in fact their certifications had lapsed. These 13 settlements, announced within in the first six weeks of 2014 and added to the 10 settlements reached for similar actions from 2009 to 2012, indicate the FTC’s commitment to ensuring that the Safe Harbor Program remains a vital and effective compliance mechanism for U.S.-based multinational companies.
The Allegations and Order
According to this recent FTC complaint, Fantage.com failed to complete its annual recertification of Safe Harbor compliance but continued to make publically-available statements about its compliance with the U.S.-EU Safe Harbor Framework. From June 2011 (when the company made its initial self-certification) to January 2014 (when the company renewed its self-certification), the FTC examined the company’s privacy policies and online statements for representations concerning its Safe Harbor status.
In its complaint, the FTC alleged that the company, “…expressly or by implication…” misrepresented that it was a current participant in the Safe Harbor Framework when, from June 2012 until January 2014, its certification had lapsed. The FTC cited the following statement made on the company’s website as an example of the false and misleading representations:
“When we collect personal information from residents of the European Union, we follow the privacy principles of the U.S.-EU Safe Harbor Framework, which covers the transfer, collection, use, and retention of personal data from the European Union.”
While the FTC does not allege substantive violations of the Safe Harbor Framework, the sanctions that follow place compliance obligations on the company. The Settlement Agreement Containing Consent Order:
If Fantage.com violates the settlement agreement, the FTC is empowered to assess up to $11,000 per day in monetary penalties.
Compliance Tips
Based on these enforcement actions, any company that self-certifies under the U.S,-EU Safe Harbor Framework should immediately:
Boston-based litigation partner Matt Turnell shares his predictions about class action litigation under the Telephone Consumer Protection Act (TCPA) and Electronic Communications Privacy Act (ECPA) in 2014 and Boston-based white-collar criminal defense and government investigations partner David Gacioch shares his predictions about government responses to data breaches.
Class Action Litigation Predictions
2014 is already shaping up to be an explosive year for privacy- and data-security-related class actions. Last December’s data breach at Target has already led to more than 70 putative class actions being filed against the retailer. With recently disclosed data breaches at Neiman Marcus and Michaels Stores—and possibly more to come at other major retailers—court dockets will be flooded with these suits this year. And consumers are not the only ones filing class actions; banks that have incurred extra costs as a result of the data breaches are headed to court as well, with at least two putative class actions on behalf of banks filed so far against Target.
That volume of litigation related to the Target data breaches likely will be matched by a steady stream of class actions filed under the TCPA. 2013 was a busy year for the TCPA docket and I expect that the Federal Communications Commission’s (FCC) stricter rules requiring express prior written consent from the called party, which took effect in October 2013, means that 2014 will be just as busy since the majority of TCPA class actions seek statutory damages for companies’ failure to obtain consent before making autodialed or prerecorded voice calls or sending unsolicited text messages or faxes.
In 2014, I expect to see key decisions under the ECPA related to social media platforms and email providers capturing and using content from customers’ emails and other messages for targeted advertising or other purposes. One district court has already denied a motion to dismiss an ECPA claim challenging this conduct and I predict that other decisions are forthcoming this year. Needless to say, decisions in favor of class-action plaintiffs in this area could have major implications for how social media sites and email providers do business.
– Matt Turnell, Partner
Government Responses to Data Breaches
As significant data breaches continue to dominate the news, public awareness of data privacy and security issues will increase, as will their political appeal. I expect to see in 2014:
Similarly, with the HIPAA Omnibus Final Rule going into effect on September 23, 2013, coupled with the late-2013 Department of Health and Human Services [...]
Continue Reading
Subscribe
