Privacy & Information Security Law Blog

In recent weeks, regulators in California and Illinois have issued guidance on responding to data security breaches, while UK and California authorities released online forms for organizations to use when providing notification of a breach to regulators.

In December 2011, the UK Information Commissioner’s Office (“ICO”) released a new breach notification form, reinforcing its expectation that organizations provide notification whether or not such notification is legally required. Sector-specific breach notification requirements were introduced in the UK by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and since May 2011, public electronic communication service providers have been required to notify the ICO, and in some cases affected individuals, in the event of a data security breach. All other organizations are strongly encouraged to notify the ICO of serious security breaches, and the fact that an incident was reported voluntarily is something the ICO takes into consideration when determining the appropriate enforcement action.

On January 6, 2012, the United States District Court for the District of Massachusetts granted Michaels Stores, Inc.’s (“Michaels”) a motion to dismiss against a customer-plaintiff who alleged that Michaels’ in-store information collection practices violated Massachusetts law. Although the court ruled in Michaels’ favor, it found that customer ZIP codes do constitute personal information under Massachusetts state law when collected in the context of a credit card transaction. 

On December 1, 2011, a consolidated litigation against Netflix was ordered to private mediation pursuant to an agreement between the parties. As we previously reported, the plaintiffs allege that Netflix’s practice of maintaining customer movie rental history and recommendations after their subscriptions are cancelled violates the federal Video Privacy Protection Act (“VPPA”). In August 2011, several similar cases against Netflix were consolidated by a federal court in California.

News of the mediation order comes as a significant amendment to the VPPA awaits Senate ...

On October 27, 2011, the United States District Court for the Northern District of California dismissed claims that Facebook misappropriated users’ names and likenesses in promoting its “Friend Finder” feature. Friend Finder identifies potential “friends” for a Facebook user by matching his or her email contacts with users already registered with Facebook, then presenting the user with friend suggestions. Facebook promoted the feature by displaying the names and profile photos of current friends as examples of users who had found friends with Friend Finder.

As reported in the Hunton Employment & Labor Perspectives Blog:

California Governor Jerry Brown recently signed into law Senate Bill No. 559 (SB 559), which prohibits discrimination based on an individual’s genetic information. While SB 559 significantly expands the protections from genetic discrimination provided under the federal Genetic Information Nondiscrimination Act of 2008 (GINA), at this time, its impact on most California employers is thought to be limited to the potential for greater damages to be awarded under it than under its federal counterpart.

As reported in the Hunton Employment & Labor Perspectives Blog, on October 10, 2011, California became the seventh state to enact legislation restricting public and private employers alike from using consumer credit reports in making hiring and other personnel decisions. Assembly Bill No. 22 both adds a new provision to the California Labor Code -- Section 1024.5 -- and amends California’s Consumer Credit Reporting Agencies Act (“CCRAA”). Effective January 1, 2012, California employers will be prohibited from requesting a consumer credit report for employment purposes unless they meet one of the limited statutory exceptions, and those employers meeting an exception, will be subjected to increased disclosure requirements. Connecticut, Illinois, Hawaii, Oregon, Maryland and Washington already have similar laws on the books, and many other states, as well as the federal government, are contemplating similar legislation. This trend creates a potential “credit-centric” minefield for employers that do business in any one or more of these states. In light of the multiple laws affecting their use, employers who utilize consumer credit reports in making personnel decisions should proceed cautiously. Employers must evaluate the need for these reports in making personnel decisions, review and modify their policies to ensure compliance with the myriad of regulations in this area, and monitor any new developments to ensure continued compliance.

Last month, two New Jersey judges issued opposing decisions in class action lawsuits regarding merchants’ point-of-sale ZIP code collection practices. The conflicting orders leave unanswered the question of whether New Jersey retailers are prohibited from requiring and recording customers’ ZIP codes at the point of sale during credit card transactions.

Over the past several weeks, online tracking practices involving the use of Flash cookies and ETags have been the subject of new research studies, class action lawsuits and significant media attention.

On August 31, 2011, California Governor Jerry Brown signed into law amendments to that state’s security breach notification statute.  The revisions establish new content requirements for breach notification letters to California residents, and mandate notification to the state Attorney General when a breach affects more than 500 Californians.  Senate Bill 24 was the third effort by State Senator Joe Simitian to build on the landmark California breach notification law he authored in 2002.  The two previous bills he proposed were passed by the California legislature, but vetoed by former Governor Arnold Schwarzenegger.

On July 25, 2011, Netflix stated that it will hold off on the launch of its Facebook integration in the U.S. due to legal issues related to the Video Privacy Protection Act (“VPPA”).  The new Facebook feature would allow Netflix subscribers to share their movie viewing information with friends online.  Netflix indicated in its second quarter shareholder letter that it supports House Bill 2471 (“H.B. 2471”), a proposed bipartisan amendment to the VPPA intended to clarify the consent requirement for sharing consumer video viewing information.  The letter states that “[u]nder the VPPA, it is ambiguous when and how a user can give permission for his or her video viewing data to be shared” and that the VPPA “discourages us from launching our Facebook integration domestically.”  As a result, the company plans to limit the campaign to Canada and Latin America until questions concerning the VPPA are resolved.

A putative class action complaint filed on June 22, 2011, in the United States District Court for the Northern District of California alleges that the popular cloud-based storage provider Dropbox, Inc. failed to secure users’ private data or to notify the vast majority of them about a data breach.  According to the complaint, Dropbox announced in a blog post on its website that it had “introduced a bug” on June 19, 2011, which allowed users logged in to its system to log into other users’ accounts and access those users’ data stored on Dropbox.  The complaint further claims that Dropbox did not notify most, if not all, of its 25 million users that their information had been compromised.  The complaint defines the plaintiff class as all current or former Dropbox users as of June 19, 2011, whose accounts were breached.

On May 27, 2011, a class action complaint was filed in the United States District Court for the Northern District of California against Google and its recently acquired subsidiary, Slide, alleging that they violated the Telephone Consumer Protection Act (“TCPA”) when they sent text messages to people’s cell phones without first obtaining their consent.

In a pair of lawsuits filed against Twitter, Inc. and American Express Centurion Bank, plaintiffs in a California federal court are seeking class-action status to assert claims that the defendants violated the Telephone Consumer Protection Act (“TCPA”) by sending each plaintiff a single text message to confirm that they had processed the plaintiff’s request to opt-out of receiving further text messages.  This litigation highlights a potential vulnerability in the mobile marketing programs of companies that have not fully considered how telemarketing law should inform their implementation of the Mobile Marketing Association’s U.S. Consumer Best Practices (the “MMA’s Best Practices”), the authoritative compilation of policies enforced by the major wireless carriers.

On May 31, 2011, an Order was filed in the District Court for the Northern District of California granting final approval of the Google Buzz class action settlement and cy pres awards for organizations focused on Internet privacy policy or privacy education. Pursuant to the Order, the court adopted the Google Buzz settlement agreement and certified the proposed settlement class, which includes “all Gmail users in the United States presented with the opportunity to use Google Buzz through the Notice Date.” The court also approved the following list of organizations and ...

On May 11, 2011, in Thomas Robins v. Spokeo, Inc., the United States District Court for the Central District of California granted in part and denied in part defendant Spokeo, Inc.’s motion to dismiss claims that it violated the Fair Credit Reporting Act (“FCRA”).  The ruling allows the plaintiff to continue his action against Spokeo, a website that aggregates data about individuals from both online and offline sources.

A new bill proposed in California, the Social Networking Privacy Act (the “Act”), would force social networking websites to establish default privacy settings for their users that prohibit such sites from publicly displaying most information about users without the users’ consent.  Given that many social networking websites currently have default settings that make user personal information and photos public unless the user changes those settings, the Act would represent a fundamental shift in social networking privacy.

On April 26, 2011, Sony Computer Entertainment America (“Sony”) disclosed an information security breach that may affect up to 77 million consumers.  On Sony’s PlayStation blog, Patrick Seybold, Senior Director of Corporate Communications and Social Media, wrote that an unauthorized person intruded into Sony’s PlayStation Network and Qriocity streaming music and video service between April 17 and April 19, 2011, and may have obtained users’ names, addresses, email address, birthdates, passwords and logins.  Mr. Seybold wrote that “out of an abundance of caution” Sony was advising its users that their credit card information also may have been obtained.  The blog post also noted that Sony is taking steps to address the breach, which include (1) turning off PlayStation Network and Qriocity services, (2) engaging an external security firm to investigate the incident, and (3) enhancing information security and strengthening its network infrastructure.  Sony further advised users to “review your account statements and to monitor your credit reports,” and provided the contact information for the three major credit bureaus in the United States.

On April 11, 2011, the United States District Court for the Northern District of California declined to dismiss four of the nine claims in a class action lawsuit filed against RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites.  The suit stems from a December 2009 security breach caused by an SQL injection flaw that resulted in the exposure of unencrypted user names and passwords of approximately 32 million RockYou users.  RockYou subsequently fixed the error and acknowledged in a public statement that “one or more individuals had illegally breached its databases” and that “at the time of the breach, the hacked database had not been up to date with industry standard security protocols.”  After receiving notification of the security breach from RockYou in mid-December, on December 28, 2009, a RockYou user who had signed up for a photo-sharing application filed a complaint seeking injunctive relief and damages for himself and on behalf of all other similarly-situated individuals.

On March 11, 2011, Virginia resident Peter Comstock filed a class action complaint against Netflix, Inc. in the United States District Court for the Northern District of California.  According to the complaint, Netflix “tracks its users’ viewing habits with respect to both videos watched over the Internet...and physical movies ordered through the Internet and watched at home,” while encouraging “subscribers to rank the videos they watch.”  The complaint alleges that Netflix’s practice of maintaining customer movie rental history and recommendations, “long after subscribers cancel their Netflix subscription,” violates the federal Video Privacy Protection Act (“VPPA”), and California’s Customer Records Act and Unfair Competition Law.  In addition, the complaint alleges that Netflix’s failure to properly store user information and its sale of customer data to third parties led to its unjust enrichment and a breach of its fiduciary duty.  Comstock and the putative class are seeking both an injunction to stop Netflix’s current practices and monetary damages.

On February 10, 2011, the California Supreme Court ruled in Pineda v. Williams-Sonoma Stores, Inc. that ZIP codes are “personal identification information” under the state’s Song-Beverly Credit Card Act of 1971 (the “Credit Card Act”).  This finding effectively prohibits California businesses from requesting and recording cardholders’ ZIP codes during credit card transactions.

On February 11, 2011, Representative Jackie Speier (D-Calif.) introduced two pieces of legislation that, in her words, “send a clear message—privacy over profit.” The Do Not Track Me Online Act of 2011 (HR 654), would direct the Federal Trade Commission to promulgate regulations that establish standards for a “Do Not Track” mechanism. The regulations also would require covered entities to disclose their information practices to consumers, and to respect consumers’ choices regarding the collection and use of their information. 

In the past two months, lawmakers in three states have introduced legislation that would expand the scope of certain security breach notification requirements.

Virginia SB 1041

On January 11, 2011, Virginia lawmakers introduced SB 1041, which would amend the state’s health breach notification statute to impose notification requirements on businesses, individuals and other private entities, in the event unencrypted or unredacted computerized medical information they own or license is reasonably believed to have been accessed and acquired by an unauthorized person.  The law currently applies only to organizations, corporations and agencies supported by public funds.  In addition to broadening the scope of the law’s applicability, the amendment would permit the Virginia Attorney General to impose a civil penalty of up to $150,000 per breach (or series of similar breaches that are discovered pursuant to a single investigation), without limiting the ability of individuals to recover direct economic damages for violations.

Update: On February 11, 2011, BNA's Privacy Law Watch reported that SB 1041 had failed and would not be carried over to the next legislative session.

In late December 2010, consumers filed two class action lawsuits against Apple Inc., claiming that several applications they downloaded from Apple’s App Store sent their personal information to third parties without their consent.  Specifically, the consumers claim that Apple allowed third party advertising networks to follow user activity through the Unique Device Identifiers that Apple assigns each device that downloads applications.  The complaint, filed in the U.S. District Court for the Northern District of California, also named several application developers such as Pandora and The Weather Channel as co-defendants.

On August 18, 2010, a complaint was filed in the U.S. District Court for the Central District of California, alleging that Specific Media, Inc. violated the Computer Fraud and Abuse Act, as well as state privacy and computer security laws, by failing to provide adequate notice regarding its online tracking practices.  The suit, brought by six web users, seeks class action status and over $5 million in damages, and cites Specific Media’s use of Flash cookies to re-create deleted browser cookies as one of the offending practices.

Breaking -- The Supreme Court has issued its decision in City of Ontario, California v. Quon, ruling unanimously that the police department did not violate an officer's Fourth Amendment rights when supervisors reviewed text messages transmitted using a work-issued pager.  In reaching this decision, the Court did not resolve whether the officer had a reasonable expectation of privacy, rather the Court based its decision on a determination that the search itself was reasonable.

Read our previous coverage of this case.

On May 26, 2010, the court in Crispin v. Christian Audigier, Inc. quashed portions of subpoenas seeking the disclosure of private messages sent through Facebook and MySpace.  The court left open the question of whether Crispin’s wall postings and comments should be disclosed pending a more thorough review of his online privacy settings.

Legislators at the federal and state levels are urging social networking websites to enhance privacy protections available to their users.  On April 27, 2010, four U.S. Senators wrote a letter to Facebook’s CEO expressing “concern regarding recent changes to the Facebook privacy policy and the use of personal data on third party websites.”  The letter urged Facebook to provide opt-in mechanisms for users, as opposed to lengthy opt-out processes, and highlighted default sharing of personal information, third-party advertisers’ data storage and instant personalization features as three areas of concern.

The U.S. Supreme Court has set oral argument for April 19, 2010, to review the Ninth Circuit’s 2008 decision on employee privacy in Quon v. Arch Wireless Operating Co.  Although Quon concerns the scope of privacy rights afforded to public employees under the Fourth Amendment, the case also has forced private employers to renew their focus on ensuring robust and consistent enforcement of employee monitoring policies.  Unlike government employers, private employers are not subject to the Fourth Amendment’s prohibition against unreasonable searches and seizures; instead, they must comply with federal wiretap statutes and state law.  In practice, however, the “reasonable expectation of privacy” test courts apply to state common law privacy claims that govern private employers is virtually identical to the Fourth Amendment test.  Accordingly, the Supreme Court’s review of the Constitutional test likely will affect how courts view privacy claims brought against private employers.

The U.S. Supreme Court announced Monday that it will review the Ninth Circuit’s 2008 decision on employee privacy in Quon v. Arch Wireless Operating Co.  In Quon, the Ninth Circuit considered whether the Ontario, California police department and the City of Ontario violated a police officer’s privacy rights by reviewing private text messages the officer sent using a two-way pager issued by the police department.  The police officer had on several occasions exceeded the limit on the text messages provided by the department-paid plan.  Each time, the officer paid for the overage without anyone reviewing his text messages.  When the officer again exceeded the limit, his supervisor requested from the service provider and subsequently reviewed transcripts of the officer’s messages to determine if the messages were work-related.

Kaiser Permanente Bellflower Hospital has again been penalized for failing to prevent unauthorized access to confidential patient information.  On July 16, 2009, the California Department of Public Health announced that it had levied administrative penalties totaling $187,500 on the hospital after it was determined that eight Kaiser employees had compromised the privacy of four patients' medical information.  On May 14, 2009, the same facility was fined $250,000 -- the maximum allowable penalty under the new state health privacy provisions that came into effect on January 1st -- for violations related to unauthorized employee access to the medical records of Nadya Suleman.  The latest fine included a $25,000 penalty for each of four patients whose medical records allegedly were breached, plus $17,500 per incident for five subsequent alleged breaches of those medical records after the first.

On May 14, 2009, the California Department of Public Health issued an Administrative Penalty Notice to the Kaiser Foundation Hospital — Bellflower for patient medical information privacy violations. Although the state did not identify the affected patient by name, the facts and circumstances described in the Notice correspond to the case of Nadya Suleman, the single mother of six who gave birth to octuplets at Bellflower in January 2009. The hospital was fined $250,000 for failure to prevent unlawful or unauthorized access to, or use or disclosure of, a patient’s medical ...

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Google Earth and Google Street View, two popular applications offered by Google that enable users to view detailed satellite images of buildings or street-level panoramas of major roads and neighborhoods, have recently engendered controversy.  In the United States, legislators in California and Texas have introduced bills directed at Google Earth and other similar applications.  The proposed California bill prohibits operators of commercial Internet websites that make a “virtual globe browser available to members of the public” from providing “aerial or satellite photographs or imagery” of schools, religious facilities or government buildings, unless those images have been blurred.  Violators could be fined at least $250,000 and natural persons who knowingly violate the provisions could face imprisonment between one to three years.  The proposed Texas bill prohibits any person from publishing on the Internet “an image capable of zooming into greater detail than that of an aerial photograph taken without a magnifying lens 300 feet or higher of private property not visible from the public right-of-way,” and classifies the offense as a Class B misdemeanor, which is punishable by a fine up to $2,000 or 180 days in prison.

Two California medical privacy laws became effective on January 1, 2009.  The laws, A.B. 211 and S.B. 541, create new obligations for health care providers and facilities in California to protect against unlawful or unauthorized access to patient medical information.  In contrast, other medical privacy regulations, including the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), focus only on the unauthorized use or disclosure of protected health information.

A California state Court of Appeal has ruled that a California law barring merchants from collecting “personal identification information” in connection with certain credit card transactions does not prohibit the collection of a five-digit ZIP Code alone. Party City Corp. v. Superior Court of San Diego County, No. D053530, 2008 WL 5264023 (Cal. Ct. App. Dec. 19, 2008).