On July 9, 2009, Missouri Governor Jay Nixon signed House Bill 62 ("HB 62”), making the Show-Me State the 45th state with an information security breach notification law on the books. The new law takes effect on August 28, 2009. But Missouri’s new law isn’t the only new data breach notification requirement on the horizon. Amendments to existing data breach notice laws in three other states, Texas, Maine and North Carolina, will also become effective soon.

• Email This
• Print
• Comments
• Trackbacks

The Federal Trade Commission (“FTC”) announced today that, for the third time, it will delay enforcement of the Red Flags Rule until November 1, 2009 – a year after the original November 1, 2008 compliance deadline. In delaying enforcement yet again, the Commission stated that it intends to engage in an “expanded business education campaign” in which the staff will “redouble its efforts to educate [businesses] about compliance.” Such a campaign is designed to “clarify whether businesses are covered by the Rule and what they must do to comply.” The delay does not affect companies subject to the enforcement authority of federal agencies other than the FTC.

• Email This
• Print
• Comments
• Trackbacks

The popularity of crime dramas on primetime television schedules has made certain aspects of genetic testing commonplace and uncontroversial.  However, as science continues to advance at an exponential rate, and as technology and innovation have invaded the realm of individual privacy rights, individuals’ genetic make-up are likely the next frontier.

At least 32 states have genetic privacy laws on the books.  These states have taken steps to protect genetic information beyond the protections given to other types of health information.  This is referred to as “genetic exceptionalism,” which calls for special protections for genetic information due to its predictive, personal and familial nature and other unique characteristics.  Generally speaking, state genetic privacy laws restrict parties (such as insurers or employers) from taking a particular action without consent.  These laws cover a broad range of issues, including:

• Requiring personal access to genetic information;
• Requiring consent for performing tests, obtaining or accessing genetic information, retaining genetic information, and/or disclosing genetic information;
• Defining genetic information or DNA samples as personal property; and
• Providing for specific penalties for genetic privacy violations.

• Email This
• Print
• Comments
• Trackbacks

In January 2009, we reported on the postponement of a controversial federal regulation resulting from a legal challenge filed by Proskauer Rose on behalf of several trade organizations, including the U.S. Chamber of Commerce. The rule, the result of an executive order signed by then-President George W. Bush, requires most federal contractors and subcontractors to verify their employees’ work eligibility using the Department of Homeland Security’s E-Verify system. On July 8, 2009, President Barack Obama’s Administration announced its plan to go forward with the rule. Immediately after this announcement, the U.S. Senate approved legislation that would codify the rule into law.

• Email This
• Print
• Comments
• Trackbacks

On July 7, 2009, the U.S. District Court for the Southern District of New York ruled that the Federal Fair Credit Reporting Act (“FCRA”) preempted an identity exposure plaintiff’s state law claims for, among other things, negligence, breach of contract, and violation of the New York Deceptive Trade Practices Act (“DTPA”).

• Email This
• Print
• Comments
• Trackbacks

On June 16, 2009, in Pietrylo v. Hillstone Restaurant Group, USDC D.N.J. Case No. 2:06-cv-5754-FSH-PS, a New Jersey federal jury found that the Houston’s restaurant chain violated the Stored Communications Act (SCA) and the New Jersey Wiretapping and Electronic Surveillance Control Act (NJWESCA) by allegedly requiring an employee to surrender to Houston’s managers login information that would allow access to an employee MySpace gripe group called “Spec-Tator.” Spec-Tator’s creators, Brian Pietrylo and Doreen Marino, were fired for violating Houston’s policies regarding professionalism and positivity. They sued for alleged violations of their common law right to privacy, freedom of speech, the SCA and the NJWESCA, and for wronful termination.

Liability hinged on whether access to Spec-Tator was unauthorized. When Pietrylo and Marino created the group, they invited a select group of Houston’s employees, but no managers. The SCA and the NJWESCA extend liability to parties that exceed authorization to access electronic communications. Thus, the jury form asked: “Did Houston’s knowingly or intentionally or purposefully access the Spectator without authorization from Karen St. Jean?” The jury answered in the affirmative and awarded to plaintiffs $17,000 in compensatory and punitive damages.

While employers with appropriately-worded policies may monitor employee communications using company equipment, the Hillstone verdict, as well as the court’s refusal to dismiss the SCA and NJWESCA claims on summary judgment, indicate that employers may be liable if they exceed their authorization by accessing protected sites not intended for them to see. However, there is extensive grey area yet to be explored. For example, the outcome of the case might have been different had a Spec-Tator user logged in using a work computer and failed to log herself out, or if Spec-Tator had dropped a cookie onto her computer permitting persistent login.

Summer Associate Todd Mobley contributed to this report.

• Email This
• Print
• Comments
• Trackbacks

With social networking sites proliferating across international boundaries, privacy and data protection concerns are becoming increasingly relevant. With these concerns in mind, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted an opinion on online social networking on June 12, 2009.

As noted by the Working Party, the personal information a user posts online combined with the data outlining the user’s actions and interactions with other people can create a rich profile of that person’s interests and pose major risks such as identity thefts, loss of employment or business opportunities.  In this new era of social networking, no longer are even the most secretive organizations free from the public eye. Just last Sunday, a British tabloid published revealing photos, taken off of a social networking website, of the soon-to-be chief of the country’s foreign intelligence service, MI6.

The opinion focuses on how the operation of social networking sites can meet the requirements of EU data protection legislation, and advises social network service (hereafter “SNS”) providers what measures must be in place to ensure compliance. Companies that make applications for or utilize social networking sites should be mindful of their obligations under EU law, as well.

An SNS is defined as an online communication platform which enables individuals to join or create networks of like-minded users. Usually, these services invite users to provide personal data, post their own material, and interact with other contacts who use the service. Well-known examples would include Facebook, Twitter, and MySpace. Under the EU’s 1995 Data Protection Directive (95/46/EC) (the "Directive), SNS providers are considered data controllers, which are subject to several of the Directive’s provisions, even if their headquarters are outside the European Economic Area. Among their obligations:

Security and Default Privacy Settings – Data controllers must take technical and organizational measures that will maintain the security of the users.  The Working Party recommends that SNS providers offer default privacy settings that restrict viewing the user’s profile to self-selected contacts.

Information to be Provided by SNS – SNS providers must inform users of their identity and their purposes in using personal data. The Working Party recommends that providers inform users of the privacy risks both to users and third parties of uploading information.  If third party information or pictures are uploaded, it should be done with that individual’s consent. They should also provide information and adequate warning to users about privacy risks when uploading data on the SNS.

Sensitive Data – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health, or sex life may only be published with the explicit consent from the data subject or if he has made the data public himself. It is therefore incumbent upon the SNS to make it clear that answering any questions regarding such sensitive data is completely voluntary.

Processing Data of Non-Members – SNS providers may not use independently gathered information to create profiles for those who are not members of the service.

Third Party Access – When SNS providers offer additional applications on their service by third parties, or make their service available on third party hardware (mobile phones) or software (outside websites), they should ensure that the third parties only have access to necessary personal data and provide a mechanism whereby users can report concerns about applications.

Legal Grounds for Direct Marketing – Marketing activity by SNS providers is permissible, but it must comply with the Data Protection and ePrivacy Directives.

Retention of Data – Personal data of users should not be kept after their accounts are deleted.  When a user is inactive for a period of time, his profile should become invisible to the outside world and eventually the user should be notified that the data will be deleted.

Respecting the Rights of Users – Members and non-members whose information is processed by an SNS should have rights to access, correct, and delete their data. Further, because data is not to exceed the purposes for which it is being collected, SNS providers should consider giving users the choice of using pseudonyms in place of their real names.

Protecting Children – SNS providers should be especially attentive to protecting the data of minors. The Working Party recommends not asking minors for sensitive data in subscription forms, not directly marketing to minors, ensuring the prior consent of parents before subscribing, having suitable degrees of separation between communities of children and adults, and providing adequate age verification software.

Users of social networking sites are considered data subjects rather than data controllers, so they are generally exempt from the above responsibilities. However, this is not always the case. When a user processes personal data for more than purely personal or household activity, he or she is no longer covered by the so-called “household exemption” that excepts him or her from the Directive’s mandates. Examples of non-personal activity are using the SNS on behalf of a company or association, using the SNS mainly as a platform to advance commercial, political, or charitable goals, or having a high number of contacts, some of whom he may not actually know. When this occurs, the user assumes the full responsibilities of a data controller.

Thus, companies that do not operate an SNS may still governed by the Directive merely by virtue of using the service. Where the company is collecting personal information (e.g. through applications or otherwise), it should take heed of the foregoing recommendations, such as getting consent from parties before publishing their personal information and images, only using necessary personal data, deleting personal information after an account has been removed, and having a mechanism users can employ to voice privacy concerns about the application.

Proskauer summer associate Adam Freed contributed to this post.

• Email This
• Print
• Comments
• Trackbacks

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy.  However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient.

On June 4, the FTC reported a proposed settlement with Sears Holding Management Corporation of a complaint that Sears had failed to meaningfully disclose to customers the extent of the information it was collecting through its online market research software.  The FTC claimed that this failure to disclose constituted an “unfair or deceptive act” under the Federal Trade Commission Act. 
 

• Email This
• Print
• Comments
• Trackbacks

The Ohio Court of Appeals, in State v. Wolf, No. 08-16, slip op. (Ohio Ct. App. 5d April 28, 2009), recently upheld application of Ohio’s computer crime law to an employee who used his work computer to engage in criminal conduct (solicitation of a dominatrix-prostitute). While this holding may seem uncontroversial, another aspect of the decision might open the door to imposing criminal liability on employees for violating employer computer use policies.

Wolf was a Shelby City Wastewater Treatment Plant employee. The plant superintendent discovered nude photographs on Wolf’s work computer while performing routine maintenance. The superintendent notified police, who discovered that Wolf used the city-owned computer to solicit a prostitute, visit pornographic websites and upload nude photographs of himself during work hours.  At trial, the jury found him guilty of soliciting prostitution, theft in office and unauthorized use of a On appeal, Wolf challenged the trial court decisions overruling his motion for acquittal on both the charge of theft in office and the charge of unauthorized access to a computer. The Court of Appeals agreed that the trial court should have acquitted on the theft in office charge, but ruled that Wolf’s use of the office computer was unauthorized under Ohio law.

• Email This
• Print
• Comments
• Trackbacks