When a company is considering using cloud computing in its IT infrastructure, there are some privacy issues that need to be addressed.

While the value of cloud computing certainly holds much promise, companies wishing to make the leap into the cloud would be well advised to consider the potential privacy issues.  Cloud computing, in its essence, is the migration or outsourcing of computing, hardware and storage functions to a third-party service provider, which hosts applications on the Internet through linked servers located worldwide.  Cloud computing has captured the attention of IT professionals because it offers the appealing option of reducing a company’s computer infrastructure and placing it in the hands of a vendor who can perform a company’s computing needs more cheaply and efficiently than the company can itself.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

 

As we prepare to welcome both the 44th President and a revamped Congress to Washington, it is time to consider what privacy under the new administration will look like. Barack Obama polled strongly on the campaign trail as the candidate most likely to advance individual privacy rights, but are the pollsters a good indicator what privacy will look like under the new administration?    Here are some of our thoughts about what we may see in the next four years.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

 

A recent decision in the Western District of Washington broadly defines the reach of the private right of action under the federal CAN-SPAM statute. In that case, Haselton v. Quicken Loans Inc., W.D. Wash., C-07-1777, 10/14/08, the court held that a company had standing to sue alleged spammers even though it is not an Internet service provider (ISP) and does not provide e-mail accounts to its customers.

 

Plaintiff Peacefire’s website allows its users to circumvent website filtering and content-control software. Peacefire successfully argued that it is an “Internet access service” (IAS) within the protection of CAN-SPAM. CAN-SPAM uses the COPPA definition of IAS: “a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers. Such term does not include telecommunications services.” 47 U.S.C. § 231(e)(4); 15 U.S.C. § 7702(11). Defendants unsuccessfully argued that only ISPs have standing to sue as IASs. The court rejected that argument, holding that Peacefire qualifies as an IAS because it provides “further access” to the Internet, even though it does not provide consumers with an initial connection point as an ISP. The plain language of this definition, according to the court, does not require an IAS to provide Internet connectivity to end users.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

The New York State Consumer Protection Board has released a guide for New York businesses regarding the handling of personal identifiable information and the avoidance of identity theft. The guide also includes a form for reporting breaches to NY state agencies.  The guide is available here.

• Email This
• Print
• Comments
• Trackbacks

On September 10, 2008, Timberland Company, an outdoor clothing and shoe merchant, along with co-defendant ad agencies GSI Commerce Inc. (“GSI”) and AirIt2Me Inc. (“AirIt2Me”), settled charges brought under the Telephone Consumer Protection Act (“TCPA”) arising from unsolicited text messages advertising Timberland’s holiday sale.  Pursuant to the settlement, Timberland must employ best practices in future marketing, and must pay $7 million into a fund for distribution to the class.  Prior to any future mobile marketing campaign, GSI agreed to circulate to its marketing personnel a copy of the Mobile Marketing Association’s Consumer Best Practices guidelines, and to establish meaningful training and compliance checks in connection with those guidelines. Additionally, the defendants must pay class counsel a maximum amount of $1,750,000.  The settlement has been agreed to by all parties, but is still subject to final approval by the court.
 

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

On October 9, in the case R v. S and A [2008] EWCA Crim 2177, the Criminal Division of the England and Wales Court of Appeal held that requiring criminal defendants to disclose an encryption key allegedly protecting criminal materials does not violate the privilege against self-incrimination under U.K. law or Article 6 of the European Convention of Human Rights.  The U.K. court’s ruling is at odds with Magistrate Judge Jerome J. Niedermeier’s ruling on a similar issue in the District of Vermont, In re Boucher, No. 06-mj-91, 2007 WL 4245473 (D. Vt. Nov. 29, 2007).

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

The Federal Trade Commission (“FTC”) recently announced that it will not enforce the new Red Flag Rules until May 1, 2009, giving financial institutions and creditors an additional six months to comply by developing and implementing a written identity theft prevention program.  In an Enforcement Policy Statement released on October 22, 2008, the FTC acknowledged the uncertainty felt by many entities and some industries regarding whether they would be considered “covered entities” and thus subject to the rules. This announcement though does not affect companies subject to the enforcement authority of federal agencies other than the FTC.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

A German court (Case No. 133 C 5677/08) recently issued a decision that Internet Protocol (IP) addresses stored on a company's server do not constitute "personal data" under the German data protection law. An IP address is a unique number that every computer connected to the internet is assigned. Under German data protection law (and EU law generally), "personal data" is any data that identifies a natural person. Usually, whether or not a particular category of data constitutes "personal data" is fairly noncontroversial. However, the issue of whether IP addresses constitute personal data is a particularly thorny issue, as an IP address usually consists of a string of numbers, making it difficult to identify a natural person behind a given numerical combination. In fact, last year the EU article 29 Working Party (the EU Committee charged with clarifying the EU Data Protection Directive) has previously opined in 2007, and again in 2008 in more detail as reported here that there is "no doubt" IP addresses do in fact constitute "data relating to an identifiable person" under the EU Data Protection Directive.

 

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

Although the use by businesses of prerecorded message telemarketing has been prohibited for years for most calls, many companies have continued to lawfully deliver prerecorded telemarketing calls to their existing customers or others with whom they are deemed to have an existing business relationship (“EBR”). The Federal Trade Commission’s (“FTC”) recent amendments to its Telemarketing Sales Rule (“TSR”) will greatly restrict that practice. Effective September 1, 2009, companies subject to FTC jurisdiction will not be able to make interstate prerecorded telemarketing calls to EBR consumers absent the prior express written agreement of the consumer.

Effective December 1, 2008, any company that continues to make such calls must comply with new restrictions that will continue even after September 1, 2009 when prior express written consent of the consumer is mandatory. The restrictions require that the prerecorded message: (1) state at the outset that the call recipient can be asked to be placed on the caller’s company specific do not call list; (2) make available an automated opt-out mechanism for “live” recipients of a call that enables the recipient to place the number on the company’s do not call list; and (3) if the call is answered by an answering machine or voicemail, leave a toll free number where the recipient can call and be connected to an automated system where they can opt-out of further calls. In addition, such calls must ring for at least 15 seconds or 4 rings before they are disconnected and any message must begin within two seconds of the call recipients’ greeting. The new TSR amendments do not govern purely informational calls (e.g., a doctor’s appointment reminder), intrastate calls, or calls made by entities not regulated by the FTC. Most of those calls will continue to be subject to Federal Communications Commission (“FCC”) rules that permit prerecorded telemarketing calls to EBR consumers subject to the recipient requesting to be placed on a company’s own internal do not call list.

 

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks