When Flash cookies (also known as a “Local Shared Objects”) were first flagged as a privacy issue back in 2005, a few savvy companies added a disclosure about Flash cookies into their web site privacy policies. Since then, we have not heard the issue raised again. Now this sleeper issue seems to have been awakened by a recent report by researchers at the University of California, Berkeley, entitled Flash Cookies and Privacy. 

Flash cookies, which utilize a little-known capability of Adobe’s Flash plug-in, are a method to store information about a user’s preferences. (Estimates suggest that Adobe’s Flash software is installed on some 98 percent of personal computers.) Flash cookies may be used to provide better functionality to the user by, for example, storing the user’s preferences about sound volume or caching a music file for smoother play-back over an unreliable network connection. Flash cookies may also be used as unique identifiers that enable advertisers to track user preferences and circumvent deletion of HTTP cookies. Because Flash cookies are stored in a different location than HTTP cookies on one’s personal computer, simply erasing HTTP cookies, clearing browser history, or deleting the cache does not remove Flash cookies.

• Email This
• Print
• Comments
• Trackbacks

Where the only harm alleged is mere “speculation as to a possible risk of injury,” a claim cannot survive a 12(b)(6) motion to dismiss, according to a District of Connecticut decision issued on August 31, 2009. McLoughlin v. People’s United Bank, Inc., and Bank of New York Mellon, Inc., No. 3:08-cv-00944-VLB (D. Conn. Aug. 31, 2009), thus follows a long and growing line of cases which simply hold that where there is no actual harm, there can be no case. 

• Email This
• Print
• Comments
• Trackbacks

On Wednesday, September 26, 2009, a lawsuit was filed in federal court in Maine to enjoin Maine’s new predatory marketing to minors law, which was previously discussed on our blog. If not enjoined, this problematic law is scheduled to go into effect on September 12, 2009.

The complaint, filed on behalf of offline and online entities, alleges that the law violates the First Amendment and the Commerce Clause of the Constitution, as well as 42 U.S.C. § 1983, and is preempted by COPPA (the Children’s Online Privacy Protection Act).   Injunctive and declaratory relief is sought, as well as attorney’s fees. 

• Email This
• Print
• Comments
• Trackbacks

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts' data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010.  (Previous to an earlier extension, the compliance deadline was May 1, 2009.)

The revised regulations emphasize their “risk-based” approach, enabling persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information, and need.  These changes were primarily intended to ease the burden of the regulations on small businesses that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program.  That said, the changes apply to all business, not just small businesses.

 

• Email This
• Print
• Comments
• Trackbacks

In Hernandez v. Hillsides, Inc., S147552 (Aug. 3, 2009) [pdf], the California Supreme Court unanimously held that the mere placement of a hidden video camera in an employee's office could constitute an invasion of privacy, even if the camera was never actually used to record the employee.  Under the specific facts of the case, however, the Court ultimately found no liability because the intrusion was relatively minor, limited and justified, but California employers should be aware that the use of hidden surveillance cameras without notice or warning in "semi-private" office space is likely to produce an actionable claim for invasion of privacy in many cases. 

• Email This
• Print
• Comments
• Trackbacks

In mid-September, Maine’s “Act to Prevent Predatory Marketing Practices against Minors” is scheduled to take effect.  Due to the lack of a scienter element in several of the requirements of this new law, this Act could have far-reaching consequences for all businesses that engage in direct marketing or that sell or transfer personal information to third parties, even if the business does not have knowledge that the information regards a minor.

• Email This
• Print
• Comments
• Trackbacks

In the context of wireless network security, we hear a lot about WEP vs WPA, but these technologies are not widely understood, especially among attorneys. 

WEP and WPA are two alternative ways to secure a wireless network from unauthorized interception, and WPA is more secure than WEP. In fact, researchers have reported consistently for several years that it is relatively easy to break into a WEP-secured wireless network. For that reason, as discussed further below, industry standards as well as regulators require that WPA (instead of WEP) be used to secure wireless networks that are used to transmit sensitive information such as credit card numbers. Nonetheless, many companies are still using WEP.

• Email This
• Print
• Comments (1)
• Trackbacks

On July 9, 2009, Missouri Governor Jay Nixon signed House Bill 62 ("HB 62”), making the Show-Me State the 45th state with an information security breach notification law on the books. The new law takes effect on August 28, 2009. But Missouri’s new law isn’t the only new data breach notification requirement on the horizon. Amendments to existing data breach notice laws in three other states, Texas, Maine and North Carolina, will also become effective soon.

• Email This
• Print
• Comments
• Trackbacks

The Federal Trade Commission (“FTC”) announced today that, for the third time, it will delay enforcement of the Red Flags Rule until November 1, 2009 – a year after the original November 1, 2008 compliance deadline. In delaying enforcement yet again, the Commission stated that it intends to engage in an “expanded business education campaign” in which the staff will “redouble its efforts to educate [businesses] about compliance.” Such a campaign is designed to “clarify whether businesses are covered by the Rule and what they must do to comply.” The delay does not affect companies subject to the enforcement authority of federal agencies other than the FTC.

• Email This
• Print
• Comments
• Trackbacks