500 likes | 626 Views
Understanding Privacy and Security Litigation. Michael P. McCloskey Andrew B. Serwin Partner, Securities Litigation Partner, IP Litigation 402 West Broadway 402 West Broadway Suite 2100 Suite 2100 San Diego, CA 92101 San Diego, CA 92101
E N D
Understanding Privacy and Security Litigation Michael P. McCloskey Andrew B. Serwin Partner, Securities LitigationPartner, IP Litigation 402 West Broadway 402 West BroadwaySuite 2100 Suite 2100 San Diego, CA 92101 San Diego, CA 92101 Telephone: 619.685.6409 Telephone: 619.685.6428 Email: mmccloskey@foley.com Email: aserwin@foley.com
Privacy • General Principles: • Notice • Choice • Onward Transfer • Access • Security • Data Integrity • Enforcement
Privacy • Ultimately Four Issues: • What information do you collect • What do you do with the information • When can’t you disclose it • When must you disclose it
Federal Privacy Statutes • Children’s Online Privacy Protection Act (COPPA); • Gramm-Leach-Bliley (financial); • Electronic Communications Privacy Act; • Health Insurance Portability and Accountability Act (medical); and • Others (FCRA, FACTA) • Right to Financial Privacy Act
COPPA (15 U.S.C. § 6501, et seq. 16 C.F.R. § 312 et seq.) • Restricts the collection of information from children 12 and under by “operators” of: • commercial websites that are directed to children 12 and under that collect personal information from children; • general websites that knowingly collect personal information from children 12 and under; and • general websites that have a separate children’s area and that collect personal information from children 12 and under. • Does not apply to ISPs in most circumstances
COPPA • FTC is very active with COPPA issues • Time out cookies • “Bounce” issues • From v. about • Age Field • The FTC just renewed the COPPA rules
Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.) • There are two portions of the ECPA • The Wiretap Act; and • The Stored Communications Act • This is a temporal distinction
Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.) • Wiretap Act and Councilman. • Prohibits “interception” of “electronic communications”. • "electronic communication" "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photooptical system that affects interstate or foreign commerce," • Does not include electronic storage as does the definition of “wire communications” or the storage definition of the Stored Communications Act.
Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.) • Applies mostly for businesses in the employee context. • Two potential exceptions: • protect the provider, another provider, or a user, from fraudulent, unlawful or abusive use of such service; or • a person employed or authorized, or whose facilities are used, to forward such communication to its destination
State Employee Email Monitoring Laws • Connecticut • Requires notice and posting of notice of the employer’s monitoring policies • Delaware • Requires that notice be given every day to the employee • Certain exceptions apply for investigations • Civil penalties are available • Fischer v. Mt. Olive Lutheran Church
Federal Disclosure Statutes • Communications Assistance for Law Enforcement; and • The Patriot Act • The DMCA
The FTC and Privacy • FTC has an announced privacy agenda • Stepping up enforcement of Spam laws • Increasing assistance to victims of identity theft • Enforcing company’s privacy promises is also a focal point of the FTC’s agenda • Enforcing federal laws • Additional guidance is available via consent orders posted on the FTC website
The FTC and Privacy • Tower Records • Claimed to have reasonable security in shopping cart area • Had a security issue that permitted customer information to be revealed • CartManager International • Third Party provider misrepresented • BJ’s Electronics • Inadequate data security on wireless networks with credit card information
The FTC and Privacy • Sunbelt Lending Services • Violation of the Safeguard Rule, including for the failure to assess risks and implement safeguards to control these risks, train and oversee employees, and monitor the network for vulnerabilities • DSW • ChoicePoint • CardSystems, Inc • Inadequate data security was an unfair practice
Pretexting • Covered by GLB. • Also prohibited under a number of state and federal laws.
What is Pretexting? • Obtaining certain forms of information under false pretenses. • It can be improper depending upon the type of data, the type of person seeking it, and the purpose of the request.
Situations where pretexting has been used to obtain information • Disability claims (malingering) • Collection cases/background checks • Investigative/celebrity reporting • “Non-compete” investigations • To find witnesses, research alibis • Finance/accounting fraud allegations • Investigating falsification of records • Misappropriation of trade secrets • Misuse/theft of corporate assets • Derivative claims • Competitive intelligence • Litigation related investigations • To detect ongoing violations of law
Why would anyone pretext? • Difficult to discover information by other means • Subpoena/discovery power is unavailable • Legitimate information brokers have “dried up” • Information obtained by pretext is widely available on the internet as “research” for a fee • Disgruntled employees with access can be bribed • Information brokers contend method is not illegal, or an “investigative” or “prosecutorial” exception • Anonymity of source may lend false sense of legitimacy • Avoids having to close investigations for lack of proof • Deception gives criminals edge • Lack of enforcement
Risks of Improper Pretexting • Criminal, civil penalties, including aiding and abetting • Hewlett Packard case • Potential violations of attorney code of professional responsibility – potential disciplinary consequences • False statement of material fact or law to third person • Conduct involving dishonesty, fraud, deceit or misrepresentation • Failure to supervise • Counseling client to commit a crime or fraud • Misleading unrepresented persons • “Reflects adversely” on lawyer’s “fitness to practice” • Civil liability for investigator’s tortious conduct • Suppression of evidence, other sanctions • Adverse publicity
Pretexting and Investigations • The type of information sought can effect your ability to get it. • Where the information is coming from matters as well.
The Law of Pretexting • GLB • Wire fraud • The Federal Trade Commission Act/Telecommunications Act of 1996 • The Computer Fraud and Abuse Act • State identity theft laws • State restrictions on phone records • Common law fraud
Pretexting and State Law • Many companies are subject to many states’ jurisdiction and consideration of state law is important. • By seeking information from providers in many cases the information sought may be subject to state protection • It is not always clear what law applies to your investigation.
California Law • California • Recently adopted SB 202. • It applies to telephone records. • Need fraudulent intent for obtaining records.
Alaska Arizona Arkansas California Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Most States Have Identity Theft Laws • Pennsylvania • Rhode Island • South Carolina • South Dakota • Tennessee • Texas • Utah • Vermont • Virginia • Washington • Washington D.C. • West Virginia • Wisconsin • Wyoming
State Public Utility Restrictions on Telephone Records • California Public Utilities Code Section 2891. • California Code of Civil Procedure Section 1985.3
What You Can Do to Prevent Problems and Run a Proper Investigation. • Find out what state and federal laws are applicable to your company/industry. • Check out your investigators. • Consider whether it is better to run investigations internally or externally. • Consider whether you really need the information you are seeking. • Consider including policies regarding information gathering in litigation or pre-litigation matters. • Consider inserting contractual language in investigator’s agreements.
What You Can Do to Prevent Problems and Run a Proper Investigation. • Restrict the gathering of certain types of information under false pretenses. • Limit the scope of your investigation to the purpose of the investigation. • Make sure you have a monitoring policy in place. • Consider whether you have authority to gather information from an employees’ computer or network.
International Issues • SOX • Whistleblower issues and foreign data protection regimes • Employee issues
California’s Online Privacy Protection Act(Cal. Bus. & Prof. Code § 22579) • Applies if “personal information” is collected through the website • A website must then: • Have a privacy policy that discloses the type of information collected; • Describes the process, if any, for consumers to change their information; • Describe the process for consumers to receive notice of material changes to the policy; and • Identify its effective date • Format requirements
Notice of Security Breach Laws(Cal. Civ. Code §1798.82) • Triggered if there is a breach of a data security; and • A consumer’s personal information is implicated • Applies even if there is simply a reasonable belief that there was an acquisition of data • Law enforcement concerns • Direct notice typically required, though substitute notice is permitted in certain instances
Notice of Security Breach Laws • Issues to watch out for • What good is encryption? • Electronic v. non-electronic • North Carolina’s law applies to non-electronic • Is there a general duty? • Who else must notice be given to? • What form of notice? • Is notice required if there is no likelihood of identity theft?
Notice of Security Breach Issues • 33 other states (and the OCC) have enacted laws or rules • Including: Arkansas; Connecticut; Delaware; Florida; Georgia; Illinois; Indiana; Louisiana; Maine; Minnesota; Montana; Nevada; New Jersey; New York; North Carolina; North Dakota; Rhode Island; Tennessee; Texas and Washington • Ohio Attorney General action
Restrictions Upon the Collection of SSNs(Cal. Civ Code § 1798.85) • Companies cannot: • Post or publicly display SSNs; • Print SSNs on identification cards; • Require people to transmit SSNs over the internet unless it is encrypted or the connection is secure; • Use a SSN as a login unless a password is also required; or • Print it on materials unless legally required
Alabama Arizona Arkansas California Colorado Connecticut Delaware Florida Illinois Indiana Louisiana Maryland Michigan Minnesota Missouri Nevada New Jersey New Mexico North Carolina Oklahoma Oregon Rhode Island South Dakota Tennessee Texas Utah Vermont Virginia Washington Wisconsin Social Security Number Laws
California’s Data Security Law (AB 1950 Cal. Civ Code § 1798.81.5) • Broad law that applies across the board, even to non-electronic data • The law is triggered if a business owns unencrypted personal data regarding a California resident • Businesses and third-parties who receive data must have “reasonable” security measures and procedures • Sliding scale
California’s Data Destruction Law • Consumer records must be destroyed if they contain personal information, when the records are no longer needed • This obligation applies whether the record is in electronic form, or not • Destruction is accomplished through: • shredding; • erasing, or • otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means
SOX FACT Act Arkansas California Colorado Indiana Minnesota Montana Nevada New Jersey New York North Carolina Rhode Island Tennessee Texas Utah Vermont Washington Data Security/Destruction Laws
Spyware and Phishing • 12 states have enacted laws (mostly this year) on spyware or phishing. • What is spyware? • “software that gathers information about a computer’s use and transmits that information to someone else, appropriates the computer’s resources, or alters the functions of existing applications on the computer, all without the computer user’s knowledge or consent.” FTC v. Seismic Entertainment Productions, Inc., 2004 WL 2403124.
Spyware and Phishing • Spyware and the DMCA • Recent issues
Spyware, Phishing and Pharming • What is the importance of these issues to companies? • Implicates advertising. • Effects software update features. • Customer losses. • Business losses and network costs. • IP infringement.
Restrictions on Spyware • What triggers a spyware law? • Effecting a computer you do not own. • Engaging in some form of deceptive conduct.
Restrictions on Spyware • What are examples of deceptive or improper acts. • Gathering certain forms of personally identifiable information. • Changing a homepage setting. • Changing computer settings. • Blocking the installation of software. • Causing the installation of software. • Changing other Internet settings. • Assuming control of a computer. • Setting cookies?
Civil Actions for Spyware • In many cases civil actions (apart from statutory violations) face legal hurdles. • Kerrins v. Intermix • Disgorgement of profits not permitted as a remedy. • Included California’s Little FTC Act, B&P Section 17200.
Civil Actions for Spyware • Restrictions on enforcement. • Some states limit the categories of people that can bring an enforcement action. • Directly effected consumer. • ISPs. • The state. • Trademark owner.
Phishing and Pharming • Phishing is the use of email or other means to imitate a legitimate company or business in order to obtain passwords or other sensitive information in order to commit theft or fraud. • Pharming is the use of an improper website in order to obtain information improperly.
Potential Enforcement for Phishing and Pharming. • CFAA. • Wire fraud. • FTC Act. • State FTC Acts. • State phishing and identity theft laws. • IP lawsuits.
Privacy Litigation • Airlines cases. • Dyer v. Northwest Airlines Corporation, et al., 334 F.Supp.2d 1196 (D.N.D. 2004); • In re American Airlines Privacy Litigation, 3:04-MD-1627-D (N.D.Tex. 2005). • Laptop case. • Guin v. Brazos Higher Educ. Service Corp., Inc., 2006 WL 288483 (D.Minn. 2006). • No standing/no damages. • Bell v. Acxiom, 2006 WL 2850042 (E.D.Ark. 2006).
Privacy Takeaways • Assess what information is being collected • Think through the types of data you are collecting • Determine what laws apply to your company based upon the information it collects, where it does business and the identity of its customers
Privacy Takeaways • Make sure that employees understand that they do not have an expectation of privacy in their use of your e-mail and electronic systems. • Consider what security systems you have in place and what securities measures you are requiring third parties to have. • Consider restrictions upon the use of removable media. • Make sure your privacy policy makes the necessary disclosures.
Privacy Takeaways • Reserve the right to modify your privacy policy • Ensure that employees are aware of your policies • Assess whether you have a responsibility to report a data security incident • Consider what security systems you have in place and what securities measures you are requiring third parties to have • Determine if you are sending or receiving data to countries that have higher privacy and security standards