Businesses that use behavioral marketing and advertising techniques may consider reviewing and commenting on the Federal Trade Commission’s (“FTC”) proposed guidelines. The guidelines are designed to provide consumers with more visibility into the behavioral advertising process, which the FTC recognizes can be very valuable.

The FTC’s guidelines are designed to address four primary concerns:
- greater transparency and consumer control;
- the need to prevent criminals from accessing data collected for behavioral advertising;
- ensuring that companies keep their privacy promises when changing their privacy policies;
- the collection of sensitive data, like medical records or children’s activities, for behavioral advertising.

According to the FTC, businesses could use the guidelines as a tool for self regulation. The FTC has extended the deadline for commenting on the guidelines until April 11. For the complete text of the proposed guidelines, visit Ferderal Trade Commission.

Tags:

Tags:

In New York, if a company terminates an employee and prohibits that employee from accessing personal information on a company computer, the company may find itself being sued for conversion. A recent decision by the New York Court of Appeals raises the possibility that by prohibiting a former employee from recovering private or personal electronic data from a company computer, the company might be sued for the tort of conversion. In making its decision, the court essentially recognized that electronic data is just another form of personal property protected by the law. Thyroff v. Nationwide Mutual Insurance, 2007 WL 844860 (N.Y. 2007), involved a Nationwide insurance agent who was terminated. The agent kept personal data and customer information on a company computer system, and after his termination, Nationwide denied him access to that information.

Tags:

Since February 2005, approximately 100 million records containing personal information have been subject to a security breach.  More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft.  The state provisions are not uniform, and are often difficult to reconcile.  Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.

After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform.  One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information. 

Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws.  Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident.

Tags:

 The New York Court of Appeals’ decision in Thyroff recognizing a conversion claim based on a company preventing a former employee from accessing personal information stored on the company’s computer certainly presents some difficult privacy issues for businesses, who already face enough potential legal troubles when terminating employees.  You suggested that to avoid infringing on an employee’s privacy rights in electronic data on a business computer, a business could give a terminated employee access to the computer to retrieve their personal information.  That may present practical difficulties because that access would have to be supervised or somehow limited to prevent the former employee from gaining access to confidential business information or even, in the worst case, sabotaging the company’s computer.  Do you have any other ideas on how a business might protect its former employee’s privacy rights and avoid potential tort liability?

Tags:

The issue of employee privacy rights in data stored on an employer’s computer is a difficult one.  If an employee displayed framed family photos on her desk, an employer would not refuse to turn those photos over to the employee upon termination.  These days, the employee is just as likely to keep such photos as jpegs or gifs on her PC at work, along with many other types of personal information, from correspondence to recipes.  Allowing a terminated employee access to that computer after termination does present practical difficulties, and a business that chooses this method of avoiding liability for breach of employee privacy rights should implement safeguards to prevent the former employee from compromising company security or having access to trade secrets and other valuable business information.

A company could adopt a policy prohibiting employees from storing personal information on a company computer, though this may be impractical to enforce.  A number of courts have held that an employee has no privacy expectation in workplace computer files where company guidelines and policy explicitly inform the employee that no expectation of privacy exists.  See, e.g., Muick v. Genayre, 280 F.3d 741, 743 (7th Cir.2002); United States v. Simons, 206 F.3d 392, 398 (4th Cir.2000); Thygeson v. Bancorp, 2004 WL 2066746 (D. Or. 2004); Kelleher v. City of Reading, 2002 WL 1067442 (E.D. Pa. 2002).  A company could adopt such a policy, which could be used as evidence that when the employee stored the information, the employee was aware that she had no privacy interest in that electronic data and that the information no longer belonged to her. 

It might also be helpful to require employees to acknowledge in writing that any information stored on a company computer belongs to the company and that they have no privacy interests in such information.  The Thyroff decision did not indicate whether or not Northwest Mutual had such a policy in place.  It is also not clear whether a court might conclude that whether or not there was a privacy expectation, the employee still had a property right in the information that could be enforced in an action for conversion.  Nevertheless, a company’s litigation position would in all likelihood be strengthened by implementing and enforcing a policy regarding storage of personal data on company computers.

Tags:

Although the Privacy Act does not apply to private businesses, entities whose data has been breached, like Ernst & Young and General Electric, must ensure that they comply with the relevant state security breach notification statutes.  Thirty-four states already have security breach notification laws in effect.  If a company suspects that its data has been breached, it is critical for the company to determine which state breach notification laws apply to its data breach, and it must comply with the specific terms of each of the notification laws.
 
In addition to breach notification laws, companies that experience a data loss must also be concerned that the affected individuals will file a civil suit seeking redress for their damages.  For instance, a group of plaintiffs filed a class-action lawsuit against Providence Health Systems – Oregon for negligent loss and disclosure of protected health information and for violation of Oregon’s Unlawful Trade Practices Act.

In the Providence case, Providence’s employee left the office with tape back ups and disks containing more than 365,000 patient records.  The employee left the information in the car, where it was stolen.  When the patients indicated that they would like Providence to protect them from possible identity theft by providing credit monitoring, Providence refused and suggested that the patients take steps to protect themselves.

Because the information stolen was medical information, plaintiffs claimed that Providence violated the Oregon statute requiring protection of medical information.  Plaintiffs further sought damages under the Unlawful Trade Practices Act because Providence represented that it would keep all personal information confidential when it sold medical services and products to the patients.

Tags:

 Currently, businesses responding to a breach of their customers’ personal information must consult a patchwork of state laws to determine what steps they are required take to mitigate the damage, including whether and to what extent they must notify those customers that their information may have been compromised. There is not yet a federal privacy statute applicable to such situations. (More information regarding the present state of the law on this issue can be found here.

However, since all of the alternative legislation now pending in Congress would preempt state laws to one degree or another, it makes sense for companies to begin to familiarize themselves with the direction that Congress might be heading in this regard in order to ensure early and full compliance with whatever rules Washington ends up enacting. The various privacy bills still pending in the House and Senate described in the article referenced above are a good place to start. In addition, though, on April 30, 2007, Congress received a report on a study conducted by the U.S. Government Accountability Office (“GAO”) in order to assess the government’s own response to data breaches. While the stated aim of the study was to help federal agencies improve their ability to respond to such incidents, the basic framework of the GAO’s policy recommendations incorporates many concepts found in pending federal and enacted state legislation, and it is therefore easy enough to translate to a business context. To the extent that the report will return congressional attention to the issue of data security, it should be a useful resource for businesses wanting to begin early implementation of internal procedures that likely will not be too far from the mark, once a final federal rule is enacted and becomes effective.

Many of the GAO’s policy recommendations will sound familiar to those who have some experience with existing data security regulations and best practices. Among other measures, the report recommends: a “two-tiered” approach to incident reporting, where all incidents are reported to a designated, responsible government office, with only those entailing a risk of identity theft being reported to the affected individuals; the designation of a “core management group” to be responsible for quickly responding to incidents; the implementation of mechanisms to allow for the efficient retrieval of addresses of potentially-affected individuals for notification purposes; and taking steps to ensure awareness and training on data security issues. both among internal staff as well as among contractors.

The full report may be obtained here.

Tags:

 Private businesses are not the only victims of theft relating to confidential information.  In the largest security breach on record involving Social Security numbers, a U.S. Department of Veteran’s Affairs employee violated agency policy and took a laptop containing the sensitive personal information of 26.5 million veterans discharged after 1975.  Burglars stole the laptop from the employee’s home.  The information stolen included names, Social Security numbers, disability ratings, spouses, and dates of birth.  In June, veterans filed class-action lawsuits seeking $1,000.00 for each of the 26.5 million people listed in the missing database files.

The Transportation Security Administration acknowledged that it recently lost a hard drive containing 100,000 archived employee records.  The TSA purchased credit monitoring services for employees whose data was involved in the breach.

On a smaller scale, two Federal Trade Commission laptops disappeared from a locked trunk.  The FTC attorneys were working on a case, and were authorized to have the laptops.  The information on the laptops included the names, addresses, Social Security numbers, financial account information, and dates of birth for persons the FTC had investigated.  The laptops did not contain any information about FTC employees or government officials.   Ironically, the laptops contained sensitive personal information for defendants that had been investigated for stealing other people’s identities.  The FTC offered free credit monitoring for 110 people as a result of the theft.

Tags:

In a record settlement, ValueClick recently agreed to pay the Federal Trade Commission (“FTC”) $2.9 million to settle claims that ValueClick violated federal law and used deceptive advertising. The FTC alleged that ValueClick failed to protect consumer information and misled consumers with advertising that did not clearly disclose the cost of products.

ValueClick, through its wholly owned subsidiary, E-Babylon, sold printer ink and printer accessories through a variety of websites that utilized an on-line credit and debit card payment processing system. Consumers purchasing products on these websites were required to provide personal information including name, address, phone number, credit card number, and credit card expiration date. The website also required consumers to provide the three-digit credit card verification code ("CVV2 code") printed on the back of credit cards. CVV2 codes are particularly sensitive because they are intended to protect consumers against fraudulent internet and telephone purchases in which a sales associate can not physically verify that the card belongs to the card-holder. If stolen, possession of the CVV2 code in conjunction with the consumer's personal information would make it easy for information thieves to make fraudulent purchases with stolen information.

The FTC also alleged that ValueClick and its subsidiaries distributed or caused to be distributed privacy policies that claimed to protect consumers' personal information by encrypting data collected for the purpose of delivering products and services to consumers. The privacy policies claimed to use "industry standard" security measures to protect consumers' personal information. ValueClick and its subsidiaries used either no or limited encryption in its database systems. One of the defendant's systems used a simple alphabetic substitution system that was not consistent with industry standards.

Furthermore, the E-Babylon sites were subject to Structured Query Language (SQL) injection attacks. In SQL injection attacks, the attacker manipulates the address in the internet browser's address bar to gain access to information in the database supporting the website. These databases contained consumers' personal information and credit card information. The FTC alleged that SQL attacks were a well-known and well-publicized form of hacking and that solutions were both available and inexpensive.

In addition to the monetary penalties, ValueClick agreed to clearly disclose in its ads and web pages that consumers must spend money to qualify for “free” merchandise. Additionally, ValueClick and its subsidiaries must refrain from making misrepresentations about the use of encryption to protect consumers’ data. Finally, ValueClick agreed to independent third-party assessments of its programs for 20 years.

Tags:

Tags:

Because the requirements for businesses that collect personal information about consumers can be stringent, it is critical to know which standards apply. Regardless of which regulations govern an organization, it is imperative that the organization have a comprehensive privacy policy that satisfies the requirements for the applicable industry and geographic location(s).

Every privacy policy should contain a clear and concise statement of what personal information the organization collects, whether the company discloses the information to third-parties, and if so, under what circumstances, a list of the safeguards employed to protect the information, and a discussion of any opt-out provisions required.

Your company can face potential liability if your privacy policy does not reflect your actual privacy practices. Claims and remedies based on privacy policies can include:

• Investigations by appropriate regulatory authorities.
  
• Orders prohibiting further misrepresentations.
  
• Orders requiring an independent, periodic analysis certifying that the company has a comprehensive information security program.
  
• Claims based on negligence for failing to follow enumerated policies.
  
• Civil fines.
  
• Officer and director liability.
  

It is vital that companies use customized privacy policies prepared after carefully considering their ability to deliver on their promises. For that reason, it is not advisable to copy policies from the internet, or promise more than is legally required.

Tags:

Like other companies, governmental agencies are also required to maintain the privacy of records in their possession. The Privacy Act prohibits government agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” The Privacy Act allows disclosure without consent only in limited circumstances, including:

• Disclosure to the Census Bureau and the Bureau of Labor Statistics;
• Disclosure for routine uses within a U.S. government agency;
• Disclosure when “a record which has sufficient historical or other value to warrant its continued preservation by the United States Government;”
• Disclosure to law enforcement agencies;
• Disclosure to aid in congressional investigations; or
• Disclosure for other administrative purposes.

The penalties for violating the Privacy Act can be harsh. Federal courts can award reasonable attorneys’ fees, litigation costs, and damages. If a court finds that the agency acted willfully or intentionally, the court can award actual damages or the amount of $1,000.00 per person, whichever is greater.

The Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503) amended the Privacy Act to add several new provisions. These provisions add procedural requirements for agencies to follow when engaging in computer-matching activities; provide matching subjects with opportunities to receive notice and to refute adverse information before having a benefit denied or terminated; and require that agencies engaged in matching activities establish Data Protection Boards to oversee those activities.

Tags:

Many business’ natural inclination is to draft service contracts to vigorously and comprehensive protect the business’ interests over those of its customers or other third parties. However, in the effort to maximize contractual protections, it is often possible to overreach and to end up with a document in which protective measures are determined to be unenforceable or, perhaps worse, in which certain overprotective measures negatively affect the enforceability of other provisions.

Blockbuster, Inc. learned this lesson the hard way in a 2009 trial court opinion from the U.S. District Court in the Northern District of Texas. There, one of Blockbuster’s customers sued the company for alleged violations of the U.S. Video Privacy Protection Act for sharing information about the movies she rented with Facebook through the Blockbuster Online service. (Blockbuster had entered into a contract with Facebook under which Facebook’s Beacon software was able to collect and broadcast the customer’s rental choices to the her Facebook friends.) Aside from being a highly questionable business decision from a customer privacy perspective, Blockbuster’s arrangement with Facebook also directed light to a significant problem with Blockbuster’s customer agreement.

In response to the plaintiff’s claims, Blockbuster sought to enforce an arbitration clause in the “Terms and Conditions” of its customer agreement to take the matter out of federal court. However, on the plaintiff’s objection, the court refused to do so based on its opinion that the arbitration provision was unsupported by adequate consideration and, thus, illusory and unenforceable. The court based its holding on another provision in the customer agreement, titled “Changes to Terms and Conditions,” that read as follows:

Blockbuster may at any time, and at its sole discretion, modify these Terms and Conditions of Use, including without limitation the Privacy Policy, with or without notice. Such modifications will be effective immediately upon posting. You agree to review these Terms and Conditions of Use periodically and your continued use of this Site following such modifications will indicate your acceptance of these modified Terms and Conditions of Use. If you do not agree to any modification of these Terms and Conditions of Use, you must immediately stop using this Site.

With regard to the agreement’s arbitration provision, the problem with the above language is that it does not clearly indicate that Blockbuster’s unilateral decision to modify the Terms and Conditions will not apply to disputes, otherwise subject to arbitration, that arose out of events occurring prior to publication on Blockbuster’s site. Thus, Blockbuster theoretically could change the terms of the agreement after the accrual of a claim against it, with that change then retroactively applying to the dispute. The court held that even if Blockbuster never intended this to be the effect of the agreement, it had no alternative but to rely on the agreement’s language in light of prevailing law. The court therefore denied Blockbuster’s motion to compel arbitration.

The court also noted that other courts have considered similar agreements that were held to be enforceable due to the presence of appropriate savings clauses in the terms of the agreements at issue. One such provision read as follows:

[N]o amendment shall apply to a Dispute of which the Sponsor [Halliburton] had actual notice on the date of amendment…termination [of the arbitration agreement] shall not be effective until 10 days after reasonable notice of termination is given to Employees or as to Disputes which arose prior to the date of termination.

(Quoted from In re Halliburton Co., 80 S.W.3d 566, 569-70 (Tex.2002).) Because the above provision specifically limited the company’s ability to make unilateral changes to the agreement, thereby leaving enforceable an arbitration clause found elsewhere in the agreement.

All businesses owe it to their owners or shareholders to ensure that they obtain as much benefit as possible out of their service agreements. To move new agreements into production without the benefit of the opinion of counsel has the potential to result in consequences that are both unintended and unwanted.

The Blockbuster opinion is from the case of Harris v. Blockbuster, Inc., Case No. 3:09-cv-217-M. 

Tags:

Many businesses learn the hard way that even implied use of a famous person’s name or likeness without that person’s permission can be a costly mistake. Jewel Food Stores and Dominick’s Finer Foods, two grocery chains operating stores in the Chicago area, recently were named as defendants in lawsuits filed by basketball great Michael Jordan for publishing ads indirectly referencing Jordan’s 2009 induction into the Basketball Hall of Fame. The ads did not include Jordan’s picture or his name, but he nevertheless alleged in his complaint that the ads suggested an endorsement of the chains’ respective brands. Similarly, Chuck Yeager, the renowned former test pilot who was the first person to fly faster than the speed of sound, recently sued Virgin America for publishing an ad stating: “not unlike Buzz Aldrin or Chuck Yeager, you have the opportunity to be a part of a monumental moment in air travel.” In each case, the claimants have requested injunctive relief and damages.

Rights of publicity and the remedies available for their infringement vary from state to state, with some states offering statutory and/or common law remedies that can be much more far-reaching (and expensive for infringers) than those available in other states. Broadly stated, though, among states that offer remedies, the right usually can be distilled as the right to control any commercial use of a person’s name, image, likeness, or other identifying characteristic. The right is subject to limitations both under state law and under the First Amendment, but the consequences for infringers can be significant.

Businesses must work closely with counsel to carefully consider and plan any use of a third party’s identity in advertisements or other publicity.

Tags: