On March 10, 2009, the European Court of Human Rights held that the British Internet publication rule does not violate the right to free expression guaranteed by Article 10 of the European Convention. The case has profound implications for those bringing privacy- or disclosure-related tort claims based on materials available on the Internet – where U.K. law applies.

• Email This
• Print
• Comments
• Trackbacks

By Jeffrey D. Neuburger and Sara Krauss

Congress has been dithering over the adoption of a federal data security breach notice law for the last several years without coming to an agreement on a national standard for reporting breaches in the security of personal and financial data, but on February 17, data breach notice provisions applicable to health information were signed into law as part of the HITECH Act provisions of the massive economic stimulus legislation, H.R. 1 (111th Cong., 1st Sess. Feb. 17, 2009).

Beginning no later than September 16 of this year, "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA) will be required to give notice of breaches in the security of protected health information, and "business associates" of HIPAA-covered entities will be required to report such breaches to the covered entities. §13402(a) & (b). Currently, California and Arkansas are the only states that require that notification be given in the case of a breach in the security of medical or health insurance information.

• Email This
• Print
• Comments
• Trackbacks

A new benchmark study released by the Ponemon Institute indicates that the costs associated with data breaches in the U.S. continue to rise. The Fourth Annual U.S. Cost of Data Breach Study (“Study”) found that the average cost of a data breach has risen to $202 per customer record lost or stolen, up from $138 per customer record lost of stolen in 2005, the first year that the study was conducted. According to the Privacy Rights Clearinghouse, since 2005, more than 250 million customer records containing confidential personal information have been lost or stolen.

The Study surveyed 43 U.S. companies that experienced a breach involving the loss or theft of customer or consumer data over the past year. The surveyed companies experienced breach events involving loss or theft of 4,200 to 113,000 records. The cost of individual breach incidents ranged from a minimum of $613,000 to a maximum of $32 million, and averaged $6.65 million per company. The Study concluded that the cost of a breach is proportional to the size of a breach in terms of the number of customer/consumer records lost or stolen. 

• Email This
• Print
• Comments
• Trackbacks

The UK Information Commissioner Office ("ICO", the UK data privacy agency) has recently issued an informative code of practice to assist companies collecting personal data so that they can better draft clear privacy notices to data subjects about how the company intends to use personal data, and especially when such data is considered to be of a confidential or sensitive nature. The published guidelines are subject to a consultation period and will be finalized after the consultation period ends, on April 3, 2009.

In issuing the guidelines, the ICO made clear that privacy polices were essential to reassure companies’ potential and existing customers that that the privacy of their data is taken seriously.

The principal purpose of the guidelines is to remind companies that they must inform all data subjects about:

• the transfer of data to other companies and overseas;
• the duration of storage;
• the measures taken to ensure the security of the personal data;
• the possibility to object to direct marketing;
• who to contact if there is a complaint.

In promulgating the guidelines, the ICO reminded the companies of their obligations under the EU Data Protection Directive of 1995, which provides that all personal data must be processed "fairly and lawfully."

At a time when data breaches and online marketing have become increasingly common, it is essential that UK companies issue transparent policies about the collection, use, sharing, and security of personal data.

Jeremy Mittman in Proskauer's Los Angeles office contributed to this post.

• Email This
• Print
• Comments
• Trackbacks

On February 12, 2009, the FTC issued its long-anticipated Staff Report on Self-Regulatory Principles for Online Behavioral Advertising. The revised Self-Regulatory Principles are the result of a year of study of the more than 60 comments provided by industry, advocacy organizations, academics, and individual consumers in response to the FTC’s proposed self-regulatory principles issued in late 2007. For more on the history, see our prior posts on the history here, here, here, and here.

Not surprisingly, the FTC made clear that “these Principles are guidelines for self-regulation and do not affect the obligation of any company (whether or not covered by the Principles) to comply with all applicable federal and state laws.” And the Principles themselves, set forth below, largely reflect existing FTC law in this area. For example, it is well established that a company may not unilaterally alter its policies and use previously collected data in a manner that materially differs from the terms under which the data was originally collected. See In the Matter of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004).

• Email This
• Print
• Comments
• Trackbacks

On Thursday, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) revised and postponed -- for the second time -- its comprehensive data security regulations. The new deadline for all covered entities to achieve full compliance with the Massachusetts regulations is January 1, 2010. This fixed deadline replaces a tiered-compliance schedule established by OCABR in November 2008 that would have given covered entities until May 1, 2009 to install certain data security safeguards, including encrypting personal information on laptops, and until January 1, 2010 to implement more aggressive security measures. (See our prior post here.)

• Email This
• Print
• Comments
• Trackbacks

The Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act prohibit, among other things, the printing of expiration dates on receipts presented to credit or debit card holders.  Two recent cases from the U.S. District Court for the Southern District of Florida, Smith v. Zazzle.com, Inc. (see our blog post here) and Smith v. Under Armour, Inc., reject prior holdings that the term “print” is broad enough to encompass the information included when a seller electronically transmits a receipt.  These cases also make clear, as we stated in our June 18, 2008 post, that businesses printing expiration dates after the June 3, 2008 enactment of the Credit and Debit Card Receipt Clarification Act of 2007 (“Clarification Act”) are violating FACTA’s truncation requirements. In fact, the Zazzle.com case specifically mentions that the Clarification Act does not apply because the conduct complained of occurred after the Act’s enactment.

The Clarification Act, which shielded from a finding of willful noncompliance with FACTA any business that printed an expiration date on a cardholder receipt between December 4, 2004 and the enactment of the Clarification Act, did not completely eliminate the statutory requirement to not print expiration dates on cardholder receipts.  Accordingly, businesses that print expiration dates on such receipts after June 3, 2008, even when card numbers are properly truncated, may incur liability under FACTA.

• Email This
• Print
• Comments
• Trackbacks

Several Google executives, including the Company’s global privacy counsel, Peter Fleischer, will face criminal charges in Italian court stemming from Italian authorities’ two-year investigation of a video posted on Google Video showing a disabled teen being taunted by classmates. The video, posted in 2006, depicts four high school boys in a Turin classroom taunting a classmate with Down syndrome and ultimately hitting the young man over the head with a box of tissues. Google removed the video on November 7, 2006, less than twenty-four hours after receiving multiple complaints about the video. Nonetheless, Fleischer and his Google colleagues face criminal charges of defamation and failure to exercise control over personal information that carry a maximum sentence of three (3) years.

• Email This
• Print
• Comments
• Trackbacks

On Tuesday, the Ninth Circuit denied rehearing en banc in Quon v. Arch Wireless, previously discussed here.  The dissent (1)  disagrees with the panel's conclusion that the SWAT team members had a reasonable expectation of privacy in the text messages on the grounds that the decision undermines the standard established by the Supreme Court in O’Connor v. Ortega, 480 U.S. 709 (1987); and (2)  finds that the method used by the panel to determine whether the search was reasonable conflicts with Supreme Court precedent holding that the Fourth Amendment does not require the government to use the “least intrusive means” when conducting a “special needs” search.  The dissent can be found here.  Judge Wardlaw's concurrence in the denial of rehearing en banc can be found here.  We will keep you posted on this one.

• Email This
• Print
• Comments
• Trackbacks