Legal Bytes : Advertising & Media Lawyer & Attorney : Reed Smith Law Firm : Marketing & Intellectual Property : Legal Bytes Law Blog

Back in July, Legal Bytes posted a report (Landlord Can't Let Tweet sMOLDer) about a Twitter "tweet" posted by Amanda Bonnen, that contained the following statement: "Who said sleeping in a moldy apartment was bad for you? Horizon realty thinks it's OK."

Back then we told you that Horizon Group Management, the landlord of the apartment building involved, filed suit in a Cook County Illinois Court for libel, alleging that it was a "malicious and defamatory" tweet about the state of her apartment. 

Well this past Wednesday (Jan. 20, 2010), Cook County Circuit Court Judge Diane J. Larsen dismissed the suit, and Ms. Bonnen's attorney indicated the judge described the posting as too vague to constitute libel under the legal tests applicable to such a claim.

To support a claim of libel, Horizon would have had to show that Ms. Bonnen wasn't merely offering her opinion, that the statement must be reasonably understood by everyone to refer to the specific entity—in this case, this particular Horizon realty company—and that there was actual harm that can be proved, flowing from the statement. The fact that the statement was made on Twitter, and consequently widely available across the Internet, doesn't change the standard one must meet to prove libel, and the judge dismissed the case. 

As you can guess, these aren't the only cases involving defamation in the context of social media. For example, the action against Courtney Love, wife of the late Kurt Cobain, is alive and well. You might recall that case arose when a fashion designer claimed Ms. Love tweeted that the designer was a drug addict, a prostitute and called her a "lying hosebag thief." As we reported in Legal Bytes this past August (Court Orders Google to Turn Over Blogger Identity Information), cases of defamation become even more complex when the identity of the actual "tweeter" is hidden behind a pseudonym.

These cases all hinge upon the friction created by social interaction. Defamation is not a new concept, and whether broadcast over radio waves or propagated across the web, it should come as no surprise that when human beings populate the borderless universe of cyberspace, these interactions can give rise to legal actions. The laws that apply to publicity, privacy, libel, deceptive advertising, unfair competition and intellectual property may need to be applied or viewed differently, but they don’t disappear simply because the content is digital. Need to know more? Contact me, Joseph I. Rosenbaum, or any Reed Smith attorney with whom you regularly work.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this week, New York State Supreme Court Judge Joan Madden ordered Google to turn over account information about an anonymous blogger to model Liskula Cohen in order to enable her to pursue a claim of defamation. The blogger had used Google’s blogging service to create a blog entitled “Skanks in NYC,” and had posted pictures and references to the model that were anything but flattering, and which, she claimed, lost potential opportunities for her. When Ms. Cohen originally sought to find out who had posted the content, predictably Google resisted, maintaining that its privacy policy does not permit the disclosure of the blogger’s account information.

To put this in perspective, the protection of free speech—especially anonymous speech—is a concept in American jurisprudence and history that traces its roots to Thomas Payne’s pamphlet, Common Sense. First published in 1776, it anonymously challenged the authority of Great Britain in the New World and is widely regarded as the first work to openly ask for independence for the Colonies from Britain.

Since then, state courts have varied on just how wide those rights go and for what purposes protection is appropriate. Although I am hardly a First Amendment lawyer or a Constitutional scholar, the legal issue still seems simple. If the speaker—anonymous or not—is expressing ideas or an opinion or belief, he or she is more likely to enjoy protection. While there are limitations on freedom of expression (e.g., yelling “fire” in a crowded theater), political expression has typically enjoyed greater protection than “commercial” speech—one being fundamental to a society’s encouragement of the free flow of ideas, the other designed to promote a product, service or brand in a free market economy. On the other side of the spectrum and generally not protected, would be public expressions that are clearly and solely intended to hurt someone, where actual harm can be shown from intentional or malicious public expression or, as was determined by the New York court here, where an illegal act was or was likely to have been committed—in this case, defamation.

While it is difficult to pinpoint a single factor that will always favor protection, anonymity is a strong legal shield U.S. jurisprudence holds dear to protect individuals from the potential swords of those in power, or from anyone who might seek to stifle dissent or ideas that might be unpopular. For example, in 2005, a blogger who ranted against a politician, accusing him of “obvious mental deterioration,” was ultimately protected by the Delaware Supreme Court expressing concern over the potential “chilling effect” on anonymous speech. The blogger in this case was referring to a politician, and the court ruled that in order to justify revealing the identity of an anonymous blogger, the plaintiff must provide evidence sufficient to all the elements of the claim if the case were to go to trial. Because the court concluded no reasonable person would believe the blogger’s statements to be factual, no action for defamation could be sustained, and the court dismissed the case. You can read the Delaware Supreme Court’s decision in full right here, but clearly for bloggers, this represented a significant landmark and affirmation of the substantial protection afforded anonymous posting.

In a subsequent 2008 case, a Maryland Court of Appeals decision (Independent Newspapers, Inc. v. Zebulon J. Brodie) similarly concluded that anonymous posts should be protected, and set out an approach first detailed in a New Jersey case (Dendrite Int'l, Inc. v. John Doe No. 3) describing the steps judges should take in deciding whether to compel disclosure of anonymous online speakers in cases that come along in the future.

Unlike the previous cases, and potentially distinguishing this case, is the fact that the blogger here targeted Ms. Cohen intentionally, exclusively, and individually; and while the defendant argued the postings were just “trash talk” and only opinion, Judge Madden noted that if Ms. Cohen could prove the blogger’s statements were factually inaccurate, it would refute the argument that the posts were merely opinion and would support a legal claim of defamation.

As we have previously noted in Legal Bytes in articles describing the FTC’s efforts to regulate the blogosphere, and in presentations we have made, it is clear that online speech is coming under increased scrutiny, and that regulators and courts appear to nibbling away at the virtually complete immunity anonymous bloggers once seemed to enjoy, seeking to define the contours of what is or is not permissible conduct on the web. Does anyone remember the term “netiquette”?

For more information, or for assistance with issues like these or any social media, online, digital content, gaming or matters that meet at the crossroads of advertising, technology & media, look up Joseph I. Rosenbaum, send me an email, or contact the Reed Smith attorney with whom you regularly work. We are happy to help.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A group of the nation's largest media and marketing trade associations today released self-regulatory principles to protect consumer privacy in ad-supported interactive media that will require advertisers and websites to clearly inform consumers about data collection practices, and enable them to exercise control over that information.

In an extraordinary show of industry cooperation and collaboration, the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau last week released a series of self-regulatory principles, intended to be implemented by 2010 and designed to protect consumer privacy in advertising-supported interactive media. As part of the announcement, the Council of Better Business Bureaus along with the DMA, has agreed to implement accountability programs relative to these principles.

These self-regulatory guidelines come on the heels of a recently released study commissioned by the IAB entitled “Economic Value of the Advertising-Supported Internet Ecosystem,” which reported that the advertising-supported Internet represents 2.1 percent of the total U.S. gross domestic product (GDP), contributing $300 billion to the economy, and has created 3.1 million U.S. jobs.

“Guided by the seven Principles we have announced today, the advertising community is developing one of the most comprehensive self-regulatory programs ever undertaken by the business community. The fast-changing online marketing environment is best addressed by a self-regulatory framework that is transparent, flexible and accountable to consumers' needs and concerns. On behalf of our 360 members, who collectively invest more than $200 billion annually in marketing communications, we look forward to jointly developing a comprehensive business system that respects and honors these Principles,” said Bob Liodice, President and CEO, (ANA).

“This historic collaboration represents businesses and trade associations working together to advance the public interest,” said Randall Rothenberg, President and CEO, IAB. “Although consumers have registered few if any complaints about Internet privacy, surveys show they are concerned about their privacy. We are acting early and aggressively on their concerns, to reinforce their trust in this vital medium that contributes so significantly to the U.S. economy.”

The seven Principles designed to address consumer concerns about use of personal information without wreaking havoc to advertising that subsidizes and supports the vast array of free online content relate to:

• Education
• Transparency
• Consumer Control
• Data Security
• Material Changes
• Sensitive Data
• Accountability

We will be highlighting each of these principles separately in Legal Bytes over the weeks ahead, but if you would like to read the “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link.

• Email This
• Print
• Comments
• Trackbacks (9)
• Share Link

Although consumer credit regulation is hardly new – Regulation E, the Fair Credit Reporting Act, Regulation Z and laws regulating disclosures, debt collection practices, billing statements and the like have been around for decades – for the first time in U.S. history, Federal legislation is tackling pricing, rate modifications, advertising disclosures and fees, and adding a gift card angle as well. 

While the House has not yet passed this or any other version of the legislation, those in the know believe a similar, if not identical, bill will be approved by the House of Representatives and that the President is likely to sign it. 

Are you a bank, payment card association, credit union or financial institution that issues credit cards or gift cards? Here are highlights of the bill that passed the Senate:

• When marketing, a card issuer would not be permitted to increase any advertised ‘teaser’ rates for at least a year after a new account was opened for the consumer, and promotional rates advertised to consumers must remain in effect for at least six month;
• Unless the credit-issuing institution can get proof that anyone under 21 can actually repay their credit card debt, credit cards can only be issued to individuals under the age of 21 if a parent, legal guardian or guarantor agrees in writing to be responsible for the debts;
• If a consumer pays more than the minimum balance due, the excess must be applied to the balance with the highest interest rate;
• Card issuers will not be allowed to change rates retroactively on existing balances (there is an exception where the consumer is past due by 60 days – which, I guess, presumes that when a consumer can’t afford to pay their balance within 60 days, it’s ok to raise their rates since they probably won’t be able to afford to pay a higher rate either);
• Bills for balances due must be sent at least three weeks (21 days) before their due date;
• Card issuers will no longer be able to charge additional fees to consumers for alternate payment mechanisms (e.g., by mail, telephone, online, electronic, wire transfers), unless the consumer requests and the issuer offers some type of ‘expedited’ service;
• Consumers must be asked if they want to allow ‘over-limit’ credit transactions and if they do not affirmatively consent, the card issuer will not be permitted to charge a fee if the issuer still authorizes the transaction (e.g., your credit limit is $1,000 and you charge something for $1,001 and the authorization system approves the transaction anyway);
• Changes in the terms and conditions that apply to consumer cardholders will require at least 45 days’ notice; and
• The minimum amount of time a gift card must remain valid for use will be 5 years. First, it is likely this will apply to gift cards that are consumer-oriented and where full value is paid, and not to discounted, bulk sales, non-consumer, incentive, employer or promotional gift cards – but then the legislation isn’t final yet, is it? Furthermore, the Federal legislation is not likely to preempt more consumer-friendly State law (e.g., California prohibits any expiration date on such gift cards), but it will place a minimum level of consumer protection against earlier expiration, even in States that have no applicable regulation.

There is also consideration being given to removing any current legal and contractual restrictions on merchants that would allow them to differentially price their products and services based on the incremental costs (or savings) of accepting different forms of payment. When credit and debit cards were scarce and cash was king (cash, as in ‘currency’), regulation and industry groups frowned upon differential pricing, arguing that allowing a merchant to charge more for the use of a credit card was discriminatory to the consumer – even though the cost of accepting such payment instruments was higher (the merchant pays a fee (discount rate) to the card-issuing enterprise for the privilege of accepting the particular brand of card). Furthermore, the growth of corporate and purchasing cards and the use of payment instruments in B2B transactions has resulted in situations where a manufacturer accepts a purchasing card (procurement-based credit card) in payment of sales to distributors, wholesalers and retailers – a fee is charged to the manufacturer for the card transaction. This chain continues until a consumer makes a retail purchase, and if any or all of these transactions involve branded payment instruments and not cash, travelers’ checks, bearer bonds or two goats and a chicken, today, a fee would most likely accrue on each payment-card transaction at each step of the way . . . significantly raising the cost to everyone and ultimately the consumer. Stay tuned.

So: Consumer Credit? Co-branded promotions? Loyalty Rewards Programs? Gift Cards? Premiums and Incentives? Retail Promotions? Payment Card Industry (PCI) Data Security Standards? Privacy & Data Protection? Identity Theft? Data Breach? Pre-Screening? Online Digital Payment Systems? Corporate Cards? Purchasing Cards? E-Commerce? Regulation E? Regulation Z? Statement Insert Advertising; Credit/Demographic Market Segmentation? Free? APR? Limited Time Offer?

Any of these sound familiar? It’s what we do? Our Advertising Technology & Media Law Group; our Financial Institutions Group; our Data Security and Identity Theft Group . . . need we say more . . . If you need help (or you are just over stimulated by the flurry of legislation, regulation and excitement), call us or email me at jrosenbaum@reedsmith.com. We can help.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The European Commission established a Data Protection Working Party on data protection and privacy—an independent advisory body set up under the Data Protection Directive. This Working Party recently published an opinion relating to the EC’s draft standard contract terms that apply to the movement of data across national borders, notably between Member States within and outside of the EU. 

Specifically, the Working Party recommended that the Commission develop brand new model contract provisions to deal with international and multi-national data processing involving transfers of data outside the EC—a long-standing sore point among companies in countries that have historically been viewed as having "inadequate" privacy and data protections. These model or standard contract terms would establish acceptable contractual protections between entities that control data within the European Union/European Economic Area (EU/EEA) and data processors they use outside the European Community, to ensure protections are comparable.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The SEC shows up at your door asking for documents relating to options and securities granted for the past 10 years. Homeland Security Officers arrive at your plant asking to speak to several employees and asking for copies of employment records. State police, having confiscated laptop computers and CD-ROM files during a drug bust, show up at your door asking to compare database records since they suspect that identity theft or credit card fraud may be afoot. The Department of Justice wants to interview several of your employees, claiming some may have entered the United States on non-immigrant visas. Sound far-fetched? Probably not these days.

With the economy in turmoil, corporate officers on the defensive, immigration under attack, and money laundering, piracy, drugs, terrorism and Ponzi schemes making headlines almost every day, law enforcement and regulatory officials are under increasing scrutiny and increasing pressure to protect the public and get results. It doesn't take much imagination to appreciate that during the course of a criminal investigation, the most compelling evidence often arises from third parties who aren't even knowingly involved; airline, credit card, hotel, telephone, email and other records can often document the where, when and sometimes how of criminal activity.

From a civil law point of view, competitive pressures can lead to claims of economic espionage and theft of trade secrets, and antitrust issues can arise that will spawn litigation and the compelled disclosure of evidence. Indeed, any corporate executive or corporate lawyer who has ever been on the receiving end of a third party subpoena issued to them—innocent third parties—knows how burdensome and costly such requests for evidence can be, even if you aren’t a party to the lawsuit.

In a digital world, it is also far too easy to collect, maintain and copy vast amounts of information—information accessible with several keystrokes, available on easily transportable magnetic media. For corporations and their executives and managers, growing and often regular dilemmas must be confronted when law enforcement or regulators show up at the door and start asking questions or requesting information. Corporations have legal obligations involving compliance and cooperation with law enforcement and regulatory officials. But they also have responsibilities and legal obligations to their employees and their workplaces—and to their shareholders. If not done properly, cooperating with law enforcement and regulators can lead to lawsuits by employees, customers and, sometimes—if large amounts of time and money are expended because of improper or inadequate procedures—even shareholders. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a report entitled “Targeted Online Advertising” (La Publicité Ciblée en Ligne), presented in February and recently released publicly, the French data protection regulatory authority (CNIL) has expressed concern that targeted online advertising could be a conduit for the merchandising of personally identifiable information about online users. 

The CNIL has been examining context-sensitive, behavioral marketing and targeted advertising mechanisms online, and is concerned about privacy implications. The report notes that analyzing online user data for the purpose of serving more relevant advertising involves the collection of Internet protocol addresses, what websites a user arrived from or subsequently visited, and even key words entered by the user. In case you haven’t thought about it, definitions are hardly uniform in laws and regulations around the world, i.e., an IP address is considered personal data in the EU, but is not personally identifiable information in the United States. 

The report raises an alarm over what could be a means of “systematic profiling” and examines what it believes are growing risks to privacy in this context. In France, and many jurisdictions, targeted advertising must comply with the same data protection rules that apply to the use of personal data online. The French authorities have consistently maintained that users should be specifically informed about how their data will be used, and should be given the opportunity to opt out of these uses—even if it means they can no longer use the services available on the site.

The report also specifically notes that many free services on the Internet are actually subsidized by advertising. While “free” is an accurate financial description in a literal sense, consumers often don’t appreciate they are actually paying a “price”—the value of personal information provided in exchange for “free” services they receive online. 

While the report does not attempt to cover mobile or wireless advertising broadly, it does note that adding information about a user’s location through GPS and other technology, adds tracking capability that the CNIL fears will allow for even greater intrusion and profiling of individual behavior. You can read the entire CNIL report in French on their website at “La publicité ciblée en ligne” (Targeted Online Advertising).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Reed Smith acts as counsel to many of the advertising industry’s leading trade and membership associations – The Association of National Advertisers, The Word of Mouth Marketing Association, the Interactive Advertising Bureau, to name only a few. As you may have notices, a recent Legal Bytes blog post noted that just last month the FTC supplemented its December 2007 “Self-Regulatory Principles for Online Behavioral Advertising” report. 

Well the FTC has been busy in re-examining it’s policies regarding testimonials and endorsements in this digital age. As previously reported in Legal Bytes, the FTC indicated it was revising it’s Testimonial and Endorsement Guides (the first time since the 1980s). Well comments have now been submitted and we strongly recommend that anyone in the advertising and marketing business take a look at some of them. In fact, to help you, Legal Bytes has a couple you can look at right now – Comments for The Association of National Advertisers and Comments for The Word of Mouth Marketing Association – and when you finish reading them ask yourself:

• Now that public comments are in, what do we think will happen?
• What is in front of the FTC that might affect its decision making?
• How would self-regulation differ from the way the FTC has been operating?
• What does the new FTC Chairman think about self-regulation?
• Do we expect the new administration to shift direction? If so, which way?
• How is all this likely to affect advertising and marketing using product placements, branded entertainment, blogs, consumer generated content, buzz, viral and word of mouth marketing?

If you need to know, you need to contact John Feldman, Douglas Wood or Joseph Rosenbaum - or your favorite Reed Smith attorney - who will be more than happy to help you.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

FTC Releases Revised Ad Guidelines: Are New Marketing Practices in Your Wallet?

On February 12, 2009, the FTC supplemented its December 2007 “Self-Regulatory Principles for Online Behavioral Advertising” report, highlighting the FTC’s voluntary best practices for the behavioral advertising industry. While continuing to support self-regulation, that should not be taken as a vote of confidence for continuing the status quo. Change is in the air and you may well need to:

• develop more consumer education concerning behavioral advertising;
• develop internal privacy protections for anonymous data profiles;
• create opt-in notice mechanisms for collection of sensitive information; and
• create opt-in notice mechanisms for retroactive changes to privacy practices.

. . . and if you think your privacy policies are ok, as is, think again. The FTC has taken a broad brush to paint a picture of what it considers personally identifiable information (PII) and what ‘sharing’ of that information may require. Our experts Amy S. Mushahwar and John P. Feldman have written an alert that describes what you need to know in more detail. To read the full alert, with links to the FTC releases, click here.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

Who would have thought that would refer to our financial system, real estate markets, building developers, technology providers and, lest we forget, automobile manufacturers. This was a year of challenge and change. America elected its first Afro-American President, who inherits a country involved in wars, economic turmoil of unprecedented proportions and a government tab increased by $1 trillion in the past 90 days. The NY Giants won the Super Bowl (and may do it again). The price of gasoline went from $2 a gallon to more than $4 a gallon to less than $1.50 a gallon this year, and the stock market experienced unprecedented swings, some days approaching 1,000 points; and fluctuations of anywhere from 200 to 600 points stopped being unusual—sometimes in the same day! No laughing matter, the Federal Reserve was doling out discount coupons for the purchase of investment banks, banks were buying brokerage houses, and non-banks were lining up to become regulated banks, just so they could share in the bail out fund. Indeed, the term “bail out,” once the domain of skydivers and sinking rowboats, became the most over-used word in the news (and in Congress). Speaking of domains, ICANN turned the world of domain names on its ear with its proposed Draft Applicant Guidebook (Legal Bytes; November 2008). Cyberwarfare no longer remained the domain of motion pictures like “War Games,” “Terminator” and “Matrix” when Georgian websites were under attack while Russians soldiers invaded the real Georgian sites. And speaking of Georgia, a court in the other state of Georgia upheld the validity of promotions held via SMS text messaging. Virtual worlds were in the news: divorces, theft of intellectual property, defamation, performance rights, even the murder of an avatar resulted in an arrest. “Green,” behavioral and children’s marketing, blogs, word of mouth and viral marketing occupied much of the discussion at the FTC; identity theft and data breaches continue to create privacy concerns; ad-blocking technology mounted an assault on interactive advertising; testimonials and endorsements created buzz, as did publicity rights, led by the estate of Marilyn Monroe (Legal Bytes; May 2008); a New York court decided that emails could amend a contract because they are “writings”; and the online, interactive video gaming industry, wireless advertising and content distribution, and the rise of processing platforms that serve as home computers, entertainment centers, Internet access and gaming portals—oh, and some are handheld and wireless. The fact that 2008 marked the 40th anniversary of the conception of the x86 device and the beginning of what we now know as personal computing—spawned by the obsession of a San Antonio engineer named Austin O. “Gus” Roche—and the 10th anniversary of the publication of my law journal article “Privacy on the Internet: Whose Information Is It Anyway?” went pretty much unnoticed.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

For 2009, here are my predictions:

The economy and strife, regulation and surveillance will dominate the agenda, with the burden of paying for everything from wars to bailouts right in the crosshairs: watch those advertising budgets boys and girls, the taxman cometh.

Privacy and advertising, long separated by passive print, television and radio, will continue to collide—Congress will either pass ineffective and inappropriate legislation because it’s too busy to pay attention, or will defer legislation another year because it’s too busy to pay attention.

Wireless and mobile technology will continue to make us say “wow” and will continue to miniaturize our lives, putting not just communication, but also our wallets, calendars, purchasing, entertainment and working tool kits in our hands, not our laps.

The use of wireless and additional licenses, spectrum and bandwidth will bring the FCC and the FTC colliding in their zeal to regulate, and they will either cooperate because they are too busy to fight or fight because they are too busy to cooperate. In either case, regulation, re-regulation and self-regulation will continue to increase, unregulated.

Marketing, promotions, new media, digital content and distribution platforms will transform gaming and interactive play into entertainment, education and information—giving us more choices, but continuing to blur the lines between advertising, entertainment and information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the aftermath of many well publicized data breaches, in the past few years, more than 40 U.S. states have enacted data breach disclosure laws—“identity theft” statutes—which, among other things, require consumers to be notified when personally identifiable information is or may have been compromised in a database. But recent reports citing ineffectiveness of such legislation (e.g., Carnegie Mellon University researchers found notification laws only reduce identity theft by around 2 percent) and a growing sense that notification laws don’t prevent the problem, have caused some states to examine other approaches. At least two states, Nevada and Massachusetts, have enacted different legislation aimed at prevention, and Washington and Michigan are actively considering new measures.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In what sounds like a James Bond spy caper, an MPAA executive allegedly paid a hacker $15,000 to break into a server and snatch copies of emails. The hacker accomplished the dirty deed and emailed the MPAA dozens of pages of material—ostensibly for use by the MPAA in its copyright infringement action against a company whose servers were involved in file sharing. The MPAA released a statement that “The information was obtained in a legal manner from a confidential informant who we believe obtained the information legally.”

Now a federal appeals court in California is determining if a lower court ruling should re-define online privacy protection by interpreting “intercept” under the 1968 Wiretap Act. The case, Bunnel v. Motion Picture Association of America, revolves around a ruling a year ago that held the hacker didn’t really “intercept” emails because they were in storage—not technically in transit. The lower court ruled the hacker’s “…actions did not halt the transmission of the messages to their intended recipients. As such, under well-settled case law, as well as a reading of the statute and the ordinary meaning of the word ‘intercept,’ Anderson’s acquisitions of the e-mails did not violate the Wiretap Act.” In other words, “grab copies of emails sitting on your server for a nanosecond” and it’s not wiretapping. Stay tuned!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A new provision of the Italian data protection law (Loyalty Cards, issued Feb. 24, 2005), is getting a workout. The Data Protection Authority fined a well-known supermarket chain €54,000 for not giving customers adequate ino theformation regarding use of personal data. The retailer issued loyalty cards—for shoppers to obtain discounts and rewards—and gathered customer names, email and cell phone numbers (personally identifiable information) and behavioral marketing information (spending habits and locations). Customer profiles were then evaluated and used to create targeted ad campaigns. The retailer didn’t ask customers for consent for all of these uses—a violation of the data protection law.

In Italy, if customer information is not used solely for operating the loyalty program, but for customer profiling and advertising, the consumer must be told and must give consent. While consent is not needed to carry out contract obligations needed to fulfill the loyalty reward program itself, collecting more information than needed for that purpose or using information for other purposes requires specific consent. Is this true elsewhere? In Europe? The United States? Canada? Latin America? Asia? New Zealand? Call me and find out, or read my bio.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By August 2008, there were more publicly disclosed data breaches among U.S. businesses than for all of 2007. More information is created, flowing and stored by commercial enterprise than ever; more clever schemes are being hatched by criminals for hacking or disrupting information; employees don’t appreciate the value of assets you can’t feel; and consumers are befuddled by a maze of privacy notices, data theft notices, credit report advertisements, and scare tactics launched by advocacy groups—well intentioned though they may be. More than 40 U.S. states have laws requiring disclosure of data breaches. If these were intended to create incentives to prevent data breaches and reduce occurrence, how do we explain the steady rise? Are the laws ineffective? Are businesses accountable beyond some adverse publicity, once they provide legally mandated disclosure? Have we become jaded by news reports, privacy and breach notices as just so much junk mail? In the credit card world, consumers generally have a maximum $50 liability if a card is lost or stolen. In situations where there are no real time approvals, credit card companies take the risk. In that environment, a business decision is made to accept certain loses because the potential revenue generated by the business model yields a greater reward. In the world of consumer privacy and personally identifiable information disclosure, who is taking what risk? Studies for years indicate IT professionals appreciate that digital crime—theft of intellectual property, piracy, theft of trade secrets, customer data or employee information—is a problem. Many companies may not even know their security is breached and others have little incentive to solve the problem. Need more information? Come to my web page, contact me and tell me what you think. Call if you need help with a policy, a position or an understanding of your legal rights and obligations. We can help.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The U.S. Congress appears determined to investigate online advertising. Early this month, the House Energy and Commerce Committee issued a letter to more than 30 companies, and what began as an inquiry into how Internet service providers use network data to target advertising, has morphed into a fishing expedition into all kinds of interactive advertising. Most notably, and despite urging by the FTC to allow self-regulation to take hold, the Committee does not differentiate between personally identifiable information and non-identifying, anonymous data used for traffic metrics, ad insertion and other common advertising purposes. Lumping different kinds of information together could needlessly undermine marketing as it has been practiced for decades. The “tailoring” of advertising, in the Committee’s words, based on consumers’ behavior and media consumption patterns, has been at the heart of marketing for as long as marketing has been around.

More disturbing are presumptions that “privacy” rights are being violated by any and all forms of behavioral or targeted marketing. Advocacy groups opposed to commercial communication seek to promote an implicit, yet fundamental redefinition of personal privacy—i.e., anything that derives from peoples’ activities, no matter how distanced or anonymous. Taken to logical conclusion, any academic, commercial or journalistic observation of consumer activity could fall under regulatory restrictions under such a framework. Not surprisingly, the FTC—with its long history of regulation of advertising practices—has argued before Congress that self-regulation is likely to be an effective means of protecting consumers’ real privacy interests. According to testimony by FTC Consumer Protection Bureau Director Lydia Parnes before the Senate Committee on Commerce, Science, and Transportation this July, the FTC is “cautiously optimistic that the privacy concerns raised by behavioral advertising can be addressed by industry self-regulation.” Nevertheless, in the letter released this month and in three previous inquiries over the past few months, both the House and the Senate seem to be searching for a rationale to regulate. Stay tuned.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Ad-blocking programs are getting attention these days, spawned by the proliferation of plug-ins, configurational ad-ons, and announced features in upcoming browser releases. These enable the blocking of ads (or content that “looks” like advertising) by browsers, automating the removal or blocking of some or all content from being viewed on web pages. There has always been a balance (and some would add “tension”) between a consumer’s right to privacy and the marketer’s desire to know more and reach the right customer. The direct intersection of these issues resulting from the rise of consumer and commercial use of the Internet and its complexity, have spawned a degree of heat over these issues, never before seen in history.

From the earliest days of ad-supported radio and television broadcasting there has been a balance between the delivery of cost-effective programming and content and the right of the viewer (today, the end-user) to determine what, when and in what form ads are displayed. Advertising plays a major role in subsidizing delivery of programming. Indeed, while technology may give the individual the ability to skip advertising, there are no legal prohibitions on newspapers, television or radio serving ads along with content. There is also little question that without advertising, the price of content would rise significantly or its availability would diminish, or both.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Children’s Advertising Review Unit recently held that screening for age to avoid collecting personal information from children under 13 was not enough. In Bandai America (the website is Bandai’s Wireless.com site), CARU found that although Bandai’s website had a screening mechanism that asked for a date of birth, there was no tracking once a child put in a birth date. Thus, anyone under 13 could come back and enter a different (inaccurate) date of birth to get by the screen. CARU’s COPPA compliance guidelines require that not only must interactive sites have an age screening mechanism, but there also must be some reasonably effective means of tracking so children can’t get around the screening process. Forewarned is forearmed.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Have you received one of those “data security breach” letters? Quick, call the credit bureau and bank. Change the checking, credit card and license numbers. Most financial institutions have absorbed the cost of reissuing payment cards or providing new checks, even when these financial institutions had nothing to do with the security breach. When B.J.’s Wholesale Club disclosed that a theft of credit card information had occurred, two financial institutions sued to recover the costs that resulted from that breach. The institutions claimed B.J.’s breached its legal obligation to maintain the security of the financial institution and should be liable for the damages. Those claims were initially rejected, but have now been revived by the U.S. Court of Appeals for the Third Circuit, which has issued a decision holding these financial institutions were intended third-party beneficiaries of the contract among the retailer, its merchant bank, and the payment card industry, to keep customer data safe. If the retailer breached data protection rules imposed by the payment card industry and the financial institutions were third-party beneficiaries of that  agreement, then any damage and loss could be recovered based on contract law claims. Stay tuned.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Cyber-Ark Software, a U.S.-based information security company, surveyed information technology professionals at the Infosecurity Europe Expo 2008 in London this past April. They asked 300 senior IT folks attending the Expo about abuses relating to information access, and guess what they found? First, about one-third of all IT professionals surveyed abused their own company’s information access rights policies to view information unrelated to their job (e.g., spying on employees or looking at confidential information). The survey report noted that passwords of IT and systems oversight staff often aren’t required to be changed as often as user passwords—or sometimes not at all. In most cases, IT administrators have free reign to use or abuse access privileges—which apparently happens too often.

The notion of “internal firewalls” is highlighted by this report. While companies often take great pains to protect themselves from external threats, as history has shown us in the physical world, the biggest dangers are from “inside jobs.” Without protections that apply internally, snooping, economic espionage, sabotage, spying and data security risks will remain a looming threat to the information assets of a business enterprise.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Criminals stole customer information from the Hannaford Bros. and Sweetbay grocery chains’ computer networks. As shoppers swiped cards at checkout and their information was routed to transaction processors using state-of-the-art, fiber-optic, hard-wired cable for transmissions, malicious software intercepted the information and transmitted it to an ISP off-shore. Experts are still trying to figure out how the code got into the systems in the first place.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The New York State Information Security Breach and Notification Act amends the State Technology Law (Section 208) and the General Business Law (Section 899-aa), and requires that any New York State entity, as well as any person or business conducting business in New York and who owns or licenses computerized data that includes private information, must disclose any breach to New York residents (New York State governmental entities must also notify non-residents). This is similar to well more than 30 other states that have data breach notification statutes. Did you also know that when notification is necessary, New York law requires notification to the Attorney General, the Office of Cyber Security & Critical Infrastructure Coordination, and the Consumer Protection Board? Did you know there’s a “New York State Security Breach Reporting” form? No company relishes the idea of having to deal with a compromise of sensitive customer data? And no company should have to worry about not having the right legal advice when dealing with their customers, regulators and law enforcement officials. Reed Smith has a Data Security Group that keeps track of these laws in the United States and throughout the world.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

John Hines in our Chicago office is one of the authors of “Anonymity, Immunity and Online Defamation: Managing Corporation Exposures,” published in the Sedona Conference Journal and cited by the 7th Circuit. Earlier this month, the 9th Circuit rendered a decision many think may erode immunity accorded to ISPs, websites and services with defamatory content posted on their sites (Fair Housing Council v. Roommates.com). But diid you know that last week, the New Jersey Supreme Court rendered a significant decision recognizing a privacy interest in subscriber data which may impact corporations’ ability to pierce anonymity (State v. Reid). John has authored a Reed Smith Bulletin noting this extraordinary decision, departing from U.S. Constitutional standards and holding that the right to privacy extends to subscriber data in the possession of an ISP. The case involves a company that gave local police the IP address, registered to Comcast, of an employee on leave who visited a company supplier’s website, making unauthorized changes. After she was indicted, lawyers moved to suppress the evidence, arguing that without a valid subpoena, the employee’s expectation of privacy barred Comcast’s disclosure. New Jersey agreed, expressly extending its State “Constitutional” right of privacy to subscriber data provided to ISPs, noting “[u]sers make disclosures to ISPs for the limited goal of using that technology and not to promote the release of personal information to others.” Given the state of technology, the “IP addresses cannot be matched to an individual user without the help of an ISP,” and users have a reasonable expectation of privacy. Although the ruling is in the context of a criminal case, it will likely present challenges for corporations pursuing civil remedies and seeking to pierce the anonymity of individuals responsible for defamation and other speech torts. John and a team of Reed Smith lawyers know this area—reach out to him.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This article was contributed by Adam Snukal, Esq.

Surfed the web lately? Seen a banner promoting a product, service or trip to Ireland you priced yesterday? Serendipity? Luck? Cookies? Yes, it’s those tiny files placed on your computer when you visit a website. Advertisers can now parse through cookies on your computer when you visit certain websites and instantaneously serve up advertisements based on your historical online behavior—“behavioral marketing.” For some, this is a great convenience. For others, like New York State Assemblyman Richard Brodsky, this is invasive and should be stopped unless the consumer has given consent.

Assemblyman Brodsky sees the acquisition of Doubleclick by Google as a step backward for consumers since the combined company could tap into a reservoir of consumer behavior and search data on an individual basis. So he introduced a bill aimed at restricting Internet behavioral marketing—The Third Party Internet Advertising Consumers’ Bill of Rights Act of 2008—that would prohibit advertisers from collecting and using sensitive, personally identifiable information from users online; require websites to clearly and conspicuously disclose behavioral policies and practices; give consumers the right to opt-out of profiling practices; prevent their online behavior from being collected and used to deliver targeted advertisements; and police how advertisers are permitted to merge and synthesize such information with other data (e.g., merging personally identifiable information collected offline with information collected online). Opponents—some of the largest interactive advertising and media companies—have voiced their opposition in a letter to Assemblyman Brodsky, noting, “Time after time, state laws that have attempted to impose this sort of broad Internet regulation have been struck down by the courts, doing nothing more than making taxpayers bear the expense both of defending the lawsuit and paying the successful plaintiffs’ attorneys fees.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Most of us know the law tends to lag behind the marketplace. It is in the nature of most legal systems to try and balance statutory and regulatory authority—which makes rules based on experience or potential issues that will apply to future conduct—with judicial and regulatory decisions—cases that are adjudicated, create precedent and help shape the contours and boundaries of what is or is not permissible behavior within the statutory authorities.

In such a framework, we are often asked to counsel clients as to what is or is not acceptable when there may be little law, few regulations and sometimes no precedent. What to do? Well, as you may imagine, there is no simple answer. But there are some guideposts. A key guidepost is to consider common sense, best practices and some lessons learned from analogous legal precedent.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

If you don’t know who said that or in what motion picture, stop reading and go to the next article. California Governor Schwarzenegger has just signed a bill specifically aimed at altering the future results of fact patterns analogous to two recent court decisions relating to the licensing of publicity rights for deceased celebrities. The two cases—one in New York and the other in California—dealt with a challenge to the right to license the use of Marilyn Monroe’s name and likeness for commercial purposes. The rulings stated that because at the time of her death neither California nor New York had a law allowing publicity rights to survive the death of a celebrity, and because those rights were not specifically bequeathed by Marilyn Monroe, those rights could not be construed as part of the “rest, residue and remainder” of her estate, and consequently not be part of the rights available to her estate (or subsequent licensors like the plaintiffs in these cases).

The legislation just signed by Gov. Schwarzenegger makes retroactive to before Jan. 1, 1985, the right of a celebrity’s estate to construe publicity rights as part of a “rest, residue and remainder” as a bequest in a celebrity’s will. January 1, 1985 was the effective date of the current California law allowing publicity rights to survive the death of a celebrity. Unfortunately, New York still does not have a law allowing publicity rights to survive the death of the celebrity.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

You can’t possibly have missed the flurry of articles in the press over the past few years regarding identity theft and the measures being taken (or vulnerabilities exposed) to protect the non-public, personally identifiable financial information consumers access, use and provide in the course of routine payment transactions—both off and online. Indeed, several years ago, the Payment Card Industry (“PCI”) began formulating it’s own self-regulatory standards governing the protection of consumer information relating to the processing of credit, charge and debit card transactions. This has led to the development of the PCI Data Security Standards (“DSS”) and corresponding Data Security Audit Guidelines. In broad terms, the PCI DSS requires the protection (by encryption or other effective means) of personal information in the payment card process—whether in storage, card processing, point of sale/purchase, recordkeeping—in every link in the chain of payment using a payment card or device linked to an account at a financial institution.

As a result of the furor over the release of private information—including releases from governmental agencies and databases (e.g., social security numbers, drivers license numbers)—more than 30 states have passed specific legislation requiring companies that know, or reasonably suspect, that data, databases or electronic/digital information involving personal information of consumers has been compromised or actually leaked, to disclose and notify consumers affected (or potentially affected) by the security lapse or potential breach. Federal legislation has been proposed, although nothing has yet been enacted, and the states have stepped in to fill the perceived gap and protect the information of its citizens, and to regulate the conduct of companies doing business within their borders.

Much of the angst over the private sector, commercial transaction compromises over security—starting most visibly with ChoicePoint several years ago and continuing in a steady stream thereafter—arises from the fact that retail merchant establishments have traditionally not had to worry about privacy and the secure management of customer personal and financial information, primarily because they haven’t been regulated or needed to do so. Enter the digital age of information and the ability of marketing and advertising gurus (within and for retailers) to data-mine and use vast amounts of previously cumbersome and often unattainable information about customers. If information has always been power, than digital information transforms that power exponentially, at the speed of light (literally for those physics majors masquerading as lawyers or marketing professionals).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Based on a complaint that Xanga knew it was collecting (and sharing) personal information from children under the age of 13 (they asked for and were given the birth dates from registrants), the FTC reached a settlement agreement in which Xanga.com agreed to pay a civil penalty of $1 million. The complaint also alleged that Xanga didn’t notify children’s parents, nor did they give parents access to or control over their children’s information.

The Children’s Online Privacy Protection Act (“COPPA”) mandates that commercial web sites give parents notice and get consent before collecting personal information from children they know to be younger than 13 years old. The order which is part of the settlement with the FTC forces Xanga to erase any personal information collected and stored that violates the Act. Xanga also will have to put up hypertext links for the next five years to FTC-designated consumer educational materials.

Social networking has been in the news recently for many reasons. Recently, Facebook was faced with controversy when it started serving automated alerts about users’ friends and classmates. Facebook has less than 10 million users, compared with MySpace—which is now owned by News Corp.—which has in excess of 100 million users.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a decision of potentially great import, the UK’s top court sided with a European newspaper (The Wall Street Journal Europe) in a defamation case. Until now, British libel laws had been among the most plaintiff-friendly of any jurisdiction in the world, in part based on a 2001 libel decision known as Reynolds vs. Times Newspapers Ltd. that was intended to protect serious investigative journalism on matters of public concern.

It is expected the ruling will now allow the media in the United Kingdom to better defend against libel actions by asserting reports were in the public interest, involving responsible journalism, protections similar to those of the U.S. media under the First Amendment of the Constitution of the United States. The High Court articulated the new standard for such decisions as being “whether the defendant behaved fairly and responsibly in gathering and publishing the information.” If journalists and editors behave responsibly and the news story is of public importance and relevance, the fact that there are defamatory allegations against prominent people in the report, does not, in and of itself, permit damages for libel.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

For the record, privacy, data protection, information security and international law have officially converged with management, compliance and marketing. More than 30 U.S. states have now passed legislation in one form or another that requires businesses to notify consumers if an actual or potential breach of data security may lead to the compromise of personally identifiable information. This comes on the heels of several years of the government tightening its own policies regarding data security breaches and instances of compromised security.

Recently, the Office of Management & Budget, which oversees U.S. federal agencies, announced a tougher policy for government, requiring agencies to follow the security procedures checklist prepared by the National Institute of Standards and Technology (“NIST”) to protect data. An internal OMB memo recommends that data on mobile computers and devices carrying agency data be encrypted, and suggests two-factor authentication (one being separated from the actual computer obtaining access to the data).

As noted in prior issues of Legal Bytes, requirements and compliance obligations for commercial enterprises doing business across state lines and national boundaries vary, although many have common themes. If you are concerned—and you should be—contact us. We can help you sort out your current compliance obligations and help you keep track of the changing privacy and data protection landscape, both domestically and internationally. Even if you choose not to inject your views into the regulatory process, you must keep abreast of developments or risk action by consumers and regulators.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Web-based videos, through links, feeds or user uploads, are generating significant legal and commercial interest these days. Advertisers are also quick to recognize the potential “buzz” marketing opportunities enabled by the use of the Internet and digital audiovisual technology. User-generated content draws consumers to websites, powerful magnets for advertising messages targeted to those consumers. But beware: Simply because a consumer creates the content, doesn’t mean it is immune from standard legal tests for advertising, endorsements, publicity and product liability.

A lawsuit has recently been filed against one online video-sharing network—Veoh—alleging it allowed video works owned by an adult entertainment company to be viewed through Veoh’s website without authorization. The claims of copyright infringement could be an important test of how the courts view sites that enable sharing or feeds of audiovisual works. Although there are a growing number of popular user-generated content sites such as IFILM, YouTube, Guba, Yahoo! and Google, these sites often have very different policies and some, but not all, of them review user-generated content before it is posted—either to ensure it meets guidelines or to confirm that the user’s tags are accurate.

Earlier this month, the New York State Consumer Protection Board published an official warning about content available on Google Video, the new Google site for user-generated content. Because videos are uploaded by users, Google Video relies on tags (labels which describe the content) which are input and generated by the users. Since the content is not indexed or catalogued by Google, a search will turn up whatever the user submits—and that is what has irritated the New York authorities. As with many websites that allow user-generated content to be uploaded for viewing, Google warns users about uploading obscene or illegal material or items protected by copyright, but currently has no mechanism for filtering it out.

In a move widely viewed as adding an air of legitimacy to these sites, Warner Bros. agreed to allow Guba to distribute some of its television shows and motion pictures, online. NBC is allegedly planning to make clips of some of its most popular programs available to YouTube to promote its fall programming lineup. NBC’s decision is reportedly coupled with advertising commitments for both companies in broadcast television medium and the Internet. That should come as no surprise since advertising is what is usually at the root of all of these revenue models—a fact that has not escaped broadcast network executives.

Also this month, a number of leading television production and motion picture companies joined forces in filing suit against Cablevision, one of the largest cable television companies in the United States. The action asks the U.S. District Court in New York to declare the time-shifting service Cablevision has announced, but not yet offered, in violation of U.S. copyright law. Cablevision has countered that time-shifting of programming by consumers is legal. Unlike an “on-demand” service which would record everything and replay programs when selected by the consumer, Cablevision intends to offer subscribers a specific amount of allocated storage space on the network. Analogous to an outsourced set-top box or digital video recording device that a consumer might purchase, Cablevision will offer consumers an opportunity to buy storage space and use it to record and play back programs and then erase them to free space for new programs—no different than if the storage medium was sitting in their living rooms. Stay tuned.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In Apple v. Does (a.k.a. O’Grady v. Superior Court) Apple Computer sought to find the sources of certain leaks and rumors relating to trade secrets associated with an Apple product. Apple wanted to compel an email provider and Web publishers to divulge the information and the California Court of Appeal said “‘no,” ruling that the Stored Communications Act (the “Act”) prohibits these kinds of civil discovery efforts and prohibits Apple from compelling disclosure of the identity of the Websites’ sources. Aside from the holding that such a subpoena is not enforceable under the plain meaning of the Act, a subpoena compelling the disclosure of unpublished information from these particular entities would be unenforceable because of shield protections afforded reporters in California and, under the facts presented to the court, trying to get at these particular sources is protected by a conditional constitutional privilege against compulsory disclosure of confidential sources. If all this sounds like a lot of legal-ease, the bottom line is that Apple was barred from obtaining this type of information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the news, yet more breaches of data security and the potential disclosure of personally identifiable, non-public information about you. From Wells Fargo to the Veterans Administration, breaches are becoming almost daily news. In response, more and more states are enacting breach disclosure laws requiring companies to notify consumers if there is an actual or potential breach of security compromising (or potentially compromising) your information. Even Congress is getting into the act of considering legislation at the national level. Although not all the definitions are uniform, nor are the requirements identical, most have common themes—but to understand what they are, how they affect you and what obligations you may have, you have to contact me, or you can simply wait for the next issue of Legal Bytes—stay uned.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In New York’s Westchester County, legislators are proposing a new law to compel commercial businesses (including home offices) that have an open wireless access point to have the “network gateway server” fitted with a firewall to block intrusions. Under the proposed legislation, not only may “public Internet access” not be provided without a gateway server equipped with a firewall, but any business or home office that stores personal information as well must install a server with a firewall—even if the wireless connection is encrypted and not open to the public. Publicly available Internet access sites would have to post a sign: “You are accessing a network which has been secured with firewall protection. Since such protection does not guarantee the security of your personal information, use discretion.” Come on.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This June, the Ninth Circuit, overturning a lower court ruling, held that the Fair Credit Reporting Act (FCRA) does preempt some part of the California Financial Information Privacy Act (aka SB1). The court held that the FCRA does, in fact, preempt state affiliate sharing laws insofar as a “consumer report” is concerned. Where affiliate sharing does not involved a “consumer report” as defined in the FCRA, state laws are not preempted. What this means if you do business in California: (a) SB1 opt-out will not apply when affiliates share consumer report information; (b) SB1 opt-out will apply when affiliates share information that isn’t a consumer report; and (c) SB1 “opt-in” relevant to disclosures of information to non-affiliates will continue to be applicable and enforceable.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Intermix Media has reportedly agreed to pay $7.5 million to settle a lawsuit filed by the New York Attorney General, and if true, this represents the largest fine in a consumer online privacy action to date. In addition to agreeing to hire a Chief Privacy Officer, Intermix must agree to stop distributing its adware/spyware and redirect programs which the NYAG alleged were downloaded to consumers’ personal computers with inadequate notice, and then hidden to make it difficult to remove. Besides the annoyance which consumers rail about, often such hidden programs can be part of more elaborate identity theft and security breaches, sometimes without the knowledge of the company that created them. The lawsuit’s primary claims were false advertising and deceptive business practices under New York’s General Business Law statutes.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

OK. You’ve all been reading about the recent security breaches which are exposing sensitive financial and other non-public personally identifiable information to potential disclosure—in some cases actual release and compromise of that information. Well it turns out that in one area—the retailer cases involving Polo (Ralph Lauren), DSW (Shoe Warehouse) and others—are all being traced back to software that merchants use to process credit, charge and debit transactions. The problem, it seems, stems from the fact that the hidden coding that resides on the magnetic strip of our plastic money and that is supposed to authenticate and provide a degree of transactional security in processing payment is being retained by the merchants’ systems, rather than being immediately deleted and cleansed from these systems once the transaction is approved and complete. Hackers, learning of this vulnerability, were quick to attempt to break into these merchant systems and “steal” the codes, in many cases enabling them to create counterfeit plastic and compromise personal information of the cardholder in the process. In one case, BJ’s Wholesale Club is being sued by banks and credit unions because hackers made off with customer’s credit card numbers, and BJ’s has decided to sue IBM, whose software allegedly stored the numbers in computer logs. In legal papers filed in response to the suit, IBM not only claims there is no proof the stolen card numbers came from BJ’s systems, but it also claims that its contract with BJ’s disclaims liability for damages because of security breaches. OK, all of you go check your software contracts. Now.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Shareholders are suing ChoicePoint and its executives after learning that criminals posing as bona fide businesses were given access to personal data. ChoicePoint maintains databases of background information on almost every citizen in the United States—billions of records. A class-action lawsuit has been filed in California charging that executives withheld information to avoid having the stock price fall when and if the news broke: the share price has since fallen more than 20 percent in a month. The suit claims the executives knew their data protection was inadequate; knew or should have known ChoicePoint was selling data to illegal businesses; and that security breaches had occurred previously, exposing even more people to identity theft.

The security breach was uncovered last October, when law enforcement first contacted ChoicePoint investigating an identity theft. Suspects, posing as a ChoicePoint client, gained access to its consumer databases. As if the class action and drop in share price were not trouble enough, ChoicePoint is under investigation by the FTC inquiring into its compliance with information security laws; is under investigation by the SEC for possible violations by certain executives of the insider trading regulations; and is facing lawsuits arising from violations of the Fair Credit Reporting Act and California state law. Will someone please pick up and read the February 2004 issue of Legal Bytes!?!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

No longer merely the source of new fashion trends or technology movements (or McDonald’s), California is quickly becoming the thought leader in protecting consumer privacy. Two new laws, one which deals with personal information given to third parties for marketing (SB27) and another which obligates businesses to adhere to certain security requirements for using and storing personal information, both came into effect January 1, 2005. The new law requires businesses with 20 or more employees to give consumers detailed disclosures about not only what customer information they have shared with third parties, but also the contact information for and descriptions of those parties. Want to avoid the disclosure obligations? Simple. Allow your customers a free opt-out election from having their personal information shared. That said, you will still have to let your customers know how and to whom they can inquire about these requirements – even if your business offers the opt-out choice to consumers. By the way, if you are already subject to the stricter requirements of California’s financial privacy act, you are exempt. While there are some additional exemptions, they are narrow, and anyone doing business in California shouldn’t be too quick to conclude they are exempt without consulting legal counsel. California’s Office of Privacy Protection has drafted a set of recommended practices which attempts to harmonize the requirements of this new act with the California online privacy act, the state’s financial privacy provisions, the federal Gramm-Leach-Bliley Act, HIPAA, and European Union privacy directives. Good luck.

Do you or your contractors have sensitive personal information (e.g., names and addresses in combination with social security numbers and PIN numbers) that could lead to identity or financial theft if compromised? What about medical information about a person’s diagnosis and treatment? Start ensuring you have “reasonable” practices to protect that information from unauthorized access, use, modification and disclosure—and it doesn’t matter if the information is on paper or in electronic form. Both are covered. While the legislative history makes it clear that no one particular standard is “the standard” for “reasonable” security, a company will need to designate a specific individual who is responsible for the company’s security program, and will need to establish a security task force—including a compliance officer and legal counsel. To avoid running afoul of the standards, not only must practices and a task force be implemented, but companies will also have to demonstrate they periodically test and monitor how the security measures are working, make risk assessment, and fine-tune their security measures to keep them updated appropriately. Need employee training? Need help implementing background checks, confidentiality agreements, encryption and record retention/destruction requirements, and disciplinary measures? Call the lawyers at Reed Smith. We can help.

Remember California’s security breach notification law (we told you about this and you get another prize if you can identify the back-issue in which we did so)? That law requires businesses to disclose security lapses. This new law creates a new duty and standard of care. Lawsuits arising from breaches in security (you remember California’s Business and Professions Code section 17200) can now use AB1950 as a discovery prod to determine if your business has used and effectively maintains reasonable security measures.

Consider this: California has already passed more than a dozen laws to protect privacy—many of which have now spawned federal legislation, some already passed and others in process. SB186 bans unsolicited e-mail and AB1769 bans text messaging advertisements to cell phones and pagers. AB1733 mandates consent from customers before a wireless carrier can list their phone numbers in a 411 directory, and SB1436 restricts keystroke monitoring software, website tracking software, and software that attempts to control personal computers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In last month’s issue, we mentioned (in “Gnu & Gnoteworthy”) the F.D.I.C. released a report entitled “Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks”. Well, privacy issues are popping up all over the place again.

California Financial Privacy Act

The California Financial Privacy Act of 2003 became effective July 1st and requires banks to give customers the right to opt out of sharing information with bank affiliates with separately regulated lines of business and requires banks to get permission from customers to share information with outside companies. After the law was enacted, the American Bankers Association, Consumer Banking Association and Financial Services Roundtable filed suit claiming the Fair Credit Reporting Act—the federal law regulating sharing of information among affiliates—preempted state law and thus the part of the statute attempting to limit sharing of information among affiliates is invalid. Not so, said the Judge—to the surprise of bankers scrambling to comply—a recent notice from the California Department of Financial Institutions indicated it would begin enforcing the law immediately!

The Judge ruled that since the FCRA only applied to the sharing of “credit reports,” the California law covering a broader range of customer information was not preempted by federal law. Will the ruling be appealed? Will other states follow suit?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

California has done it again! The nation’s toughest anti-spam law, the first database security breach notification law, and now the first state to require commercial website owners and online service providers to adopt and communicate privacy policies, ensure policies satisfy certain minimum standards, and pay penalties if they fail to conform.

California’s Online Privacy Protection Act of 2003 becomes effective July 1, 2004, and applies to commercial website owners and online services that collect and maintain “personally identifiable information” from a “consumer” residing in California. This will likely apply to all businesses selling goods or services online in the United States. To comply, among other things, the privacy policy must identify the categories of information collected; third parties who have access; how a consumer may review and correct information; and how consumers will be notified of changes in the policy. The statute also requires website owners to “conspicuously post” a privacy policy on their websites. A website owner can satisfy the requirement by posting the policy on its home page or by providing a hyperlink from that page to the policy. The link must include the word “privacy” and meet certain case, type size, font, or contrasting colors or marking requirements that call attention to the link and the policy. Online service providers must use “reasonably accessible means” to make its policy available.

This act is a good reason for businesses to review existing privacy, website and online practices. Re-examine privacy promises and consider liability waivers. If you have not yet adopted a privacy policy, now is the time to do so!

• Email This
• Print
• Comments
• Trackbacks
• Share Link