Privacy & Information Security Law Blog

In December 2014, we reported that various technology companies, academics and trade associations filed amicus briefs in support of Microsoft’s attempts to resist a U.S. government search warrant seeking to compel it to disclose the contents of customer emails that are stored on servers in Ireland. On December 23, 2014, the Irish government also filed an amicus brief in the 2nd Circuit Court of Appeals.

On December 15, 2014, Microsoft reported the filing of 10 amicus briefs in the 2nd Circuit Court of Appeals signed by 28 leading technology and media companies, 35 leading computer scientists, and 23 trade associations and advocacy organizations, in support of Microsoft’s litigation to resist a U.S. Government’s search warrant purporting to compel the production of Microsoft customer emails that are stored in Ireland. In opposing the Government’s assertion of extraterritorial jurisdiction in this case, Microsoft and its supporters have argued that their stance seeks to promote privacy and trust in cross-border commerce and advance a “broad policy issue” that is “fundamental to the future of global technology.”

On October 8, 2014, the United States District Court for the Northern District of Georgia granted Cartoon Network, Inc.’s (“Cartoon Network’s”) motion to dismiss a putative class action alleging that Cartoon Network’s mobile app impermissibly disclosed users’ personally identifiable information (“PII”) to a third party data analytics company under the Video Privacy Protection Act (“VPPA”).

A recent decision by the United States Court of Appeals for the Ninth Circuit reinforces the importance of obtaining affirmative user consent to website Terms of Use for website owners seeking to enforce those terms against consumers. In Nguyen v. Barnes & Noble Inc., the Ninth Circuit held that Barnes & Noble’s website Terms of Use (“Terms”) were not enforceable against a consumer because the website failed to provide sufficient notice of the Terms, despite having placed conspicuous hyperlinks to the Terms throughout the website.

On September 2, 2014, a federal district court in California granted final approval to a settlement ending a class action against Bank of America (“BofA”) and FIA Card Services stemming from allegations that the defendants “engaged in a systematic practice of calling or texting consumers’ cell phones through the use of automatic telephone dialing systems and/or an artificial or prerecorded voice without their prior express consent, in violation of the Telephone Consumer Protection Act (“TCPA”).” The court granted preliminary approval to the settlement in December 2013.

On July 1, 2014, the Federal Court of Justice of Germany ruled that website operators cannot be compelled to disclose a user’s personal data to third parties in the context of civil defamation proceedings. The case is notable as it clarifies the limits Germany’s Telemedia Act places on how and when personal data can be disclosed in an online context.

It seems that every week brings news that another company has been impacted by a major data breach – and of the resulting financial, legal and public relations costs. As companies seek out ways to prevent these events and recoup losses associated with a data breach, cyber insurance is increasingly discussed as an effective method of recovery. In a recent article published in the Daily Journal, Hunton & Williams’ Insurance Coverage Counseling and Litigation attorney William T. Um offers a primer on cyber insurance, outlining key considerations for businesses as they explore this emerging area of coverage. The article discusses how:

On January 24, 2014, the Chamber Court of Berlin rejected Facebook’s appeal of an earlier judgment by the Regional Court of Berlin in cases brought by a German consumer rights organization. In particular, the court: 

On February 11, 2014, Germany’s Federal Minister of Justice and Consumer Protection announced that consumer rights organizations will soon be able to sue businesses directly for breaches of German data protection law. Such additional powers had already been contemplated by the German governing coalition’s agreement and the Minister now expects to present a draft law in April of this year to implement them.

It appears as though 2014 will be a banner year for class actions, including numerous cases concerning privacy and cybersecurity issues. In an article published in Law360, two Hunton & Williams litigation partners summarize recent case law and statistics related to class actions and offer predictions for the year ahead.

Download a copy of the full article.

On January 16, 2014 the High Court in London rejected submissions made on behalf of Google Inc. (“Google”) that the case brought against it by three UK-based users of Apple’s Safari browser should be heard in the U.S., rather than before an English court. The decision means that the case could be heard before a court in England, although media reports suggest Google will appeal the decision.

As reported in the Hunton Employment & Labor Perspectives Blog:

While much attention has been paid this year to the Equal Employment Opportunity Commission’s (“EEOC’s”) agenda and litigation over criminal background checks (the agency asserts such background checks have a disparate impact on minority groups), a parallel challenge kept pace in the form of private class action litigation under the Fair Credit Reporting Act (“FCRA”). 2013 saw a number of significant class action settlements against both employers and consumer reporting agencies (“CRAs”) for alleged violations of the FCRA in the use of criminal background checks:

On November 12, 2013, two companies (the “Defendants”) that provide consumer background reports to third parties, including criminal record checks agreed to an $18.6 million settlement stemming from allegations that they violated the Fair Credit Reporting Act (“FCRA”) when providing these reports to prospective employers.

As reported in the Hunton Employment & Labor Perspectives Blog:

In a lawsuit filed in the United States District Court for the Northern District of Texas on November 4, 2013, Texas Attorney General Greg Abbott sought injunctive and declaratory relief against the Equal Employment Opportunity Commission (“EEOC”) on the grounds that the agency’s April 2012 Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions “purports to preempt the State’s sovereign power to enact and abide by state-law hiring practices.” In particular, the complaint argues against the EEOC’s prohibition against blanket “no felons” hiring policies. The Texas AG’s complaint highlights key failures and shortcomings of the EEOC’s recent investigative actions, and provides detailed examples of the “real world” effect of the guidance on the state’s hiring decisions.

On October 25, 2013, the Standing Committee of the National People’s Congress of the People’s Republic of China passed an amendment to the P.R.C. Law on the Protection of Consumer Rights and Interests (the “Amendment”). The Amendment, which was adopted after three readings and will take effect on March 15, 2014, adds provisions designed to respond to the recent boom in online shopping and focuses on improving protections in the area of consumer rights and interests by:

On October 7, 2013, the United States District Court for the Central District of California held that a general liability insurance policy covered data breach claims alleging violations of California patients’ right to medical privacy. Hartford Casualty Insurance Co. v. Corcino & Associates, CV 13-03728-GAF (C.D. Cal. Oct. 7, 2013). The court rejected the insurer’s argument that coverage was negated by an exclusion for liabilities resulting from a violation of rights created by state or federal acts. The decision also rejected an attempt commonly made by insurers to exclude ...

On August 26, 2013, the U.S. District Court for the Northern District of California approved a settlement with Facebook, Inc., related to the company’s alleged misappropriation of certain Facebook members’ personal information, such as names and profile pictures, that was then used in ads to promote products and services via Facebook’s “Sponsored Stories” program.

On August 1, 2013, the United States District Court for the District of Minnesota denied a criminal defendant’s motion to suppress, holding that the defendant had no reasonable expectation of privacy in computer files he shared on a peer-to-peer network.

On June 5, 2013, the United States District Court for the Northern District of Ohio denied an employer’s motion to dismiss, holding that the Stored Communications Act (“SCA”) can apply when an employer reads a former employee’s personal emails on a company-issued mobile device that was returned when the employment relationship terminated. The defendants, Verizon Wireless (“Verizon”) and the manager who allegedly read the plaintiff’s emails, argued that the SCA applies only to computer hacking scenarios, and that the plaintiff authorized the reading of her personal emails. The court rejected both of the arguments, finding:

On June 11, 2013, the United States Court of Appeals for the Seventh Circuit denied software maker comScore, Inc.’s petition to appeal class certification in a litigation related to comScore software that allegedly collected extensive data from consumers’ computers without authorization. The plaintiffs alleged that comScore (an online analytics company) gathered data from consumers’ computers through software that it bundled with third-party software, such as free screensavers, games, music-copying programs and greeting card templates. According to the plaintiffs, this software collected data including “the monitored consumer’s usernames and passwords; queries on search engines...; the website(s) the monitored consumer is currently viewing; credit card numbers and any financial or otherwise sensitive information inputted into any website the monitored consumer views; the goods purchased online by the monitored consumer, the price paid by the monitored consumer for the goods, and amount of time the monitored consumer views the goods before purchase; and specific advertisements clicked by the monitored consumer,” as well as data about all files on the consumer’s computer.

As reported in the Hunton Employment & Labor Perspectives Blog:

Furthering its controversial ruling in Banner Health System d/b/a Banner Estrella Medical Center, 358 NLRB No. 93 (July 30, 2012), the National Labor Relations Board’s (“NLRB’s”) Office of the General Counsel released a memorandum providing additional guidance on the confidentiality of internal workplace investigations. Banner Health held that to require confidentiality of investigations, an employer must show more than a generalized concern with protecting the integrity of its investigations. Rather, an employer must “determine whether in any give[n] investigation witnesses need[ed] protection, evidence [was] in danger of being destroyed, testimony [was] in danger of being fabricated, and there [was] a need to prevent a cover up.”

As the number of security breach incidents and privacy violations continues to increase, so too has the volume of lawsuits—particularly class action lawsuits—seeking damages for actual and future harms resulting from unauthorized disclosures of personal information. Affected companies have looked to their traditional insurance coverage to defray costs associated with responding to these incidents and lawsuits, but standardized commercial general liability policies may not provide adequate coverage.

As reported in the Hunton Employment & Labor Perspectives Blog:

On March 19, 2013, in Standard Fire Insurance Co .v. Knowles, the United States Supreme Court ruled that stipulations by a named plaintiff on behalf of a proposed class prior to class certification cannot serve as the basis for avoiding federal jurisdiction under the Class Action Fairness Act of 2005 (“CAFA”).

On March 11, 2013, in Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court effectively reinstated the suit against the retailer by answering favorably for the plaintiff three certified questions from the United States District Court for the District of Massachusetts regarding Massachusetts General Laws Chapter 93, Section 105(a) entitled “Consumer Privacy in Commercial Transactions” (“Section 105(a)”). The court ruled that (1) a ZIP code constitutes personal identification information under the Massachusetts law; (2) a plaintiff may bring an action for a violation of the Massachusetts law absent identity fraud; and (3) the term “credit card transaction form” refers equally to electronic and paper transaction forms. The Massachusetts court’s determination that a ZIP code constitutes personal identification information is similar to the determination in Pineda v. Williams-Sonoma Stores, Inc., in which the California Supreme Court held that ZIP codes are “personal identification information” under California’s Song-Beverly Credit Card Act. More than 15 states, including Massachusetts and California, have statutes limiting the type of information that retailers can collect from customers.

On February 20, 2013, the UK Court of Appeal issued its decision in Smeaton v Equifax Plc, [2013] EWCA Civ 108, overturning an award of damages to an individual about whom a credit reference agency had maintained an inaccurate record.

On February 4, 2013, the Supreme Court of California examined whether Section 1747.08 of the Song-Beverly Credit Card Act (“Song-Beverly”) prohibits an online retailer from requesting or requiring personal identification information from a customer as a condition to accepting a credit card as payment for an electronically downloadable product. In a split decision, the majority of the court ruled that Song-Beverly does not apply to online purchases in which the product is downloaded electronically.

On January 25, 2013, Kmart Corporation (“Kmart”) agreed to a $3 million settlement stemming from allegations that it violated the Fair Credit Reporting Act (“FCRA”) when using background checks to make employment decisions. The FCRA addresses adverse actions taken against consumers based on information in consumer reports and includes numerous requirements relating to the use of such reports in the employment context.

As reported in BNA’s Privacy & Security Law Report, on December 14, 2012, a federal district court in California ruled that a retail store’s policy of collecting personal information only after providing customers with receipts does not violate the Song-Beverly Credit Card Act (“Song-Beverly”). Under Section 1747.08(a)(2) of Song-Beverly, a retailer that accepts credit cards for the transaction of business may not “[r]equest, or require as a condition to accepting the credit card as payment … the cardholder to provide personal identification information,” which the entity accepting the credit card then “writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”

U.S. Federal Trade Commission Chairman Jon Leibowitz announced on Monday that David C. Vladeck, director of the FTC's Bureau of Consumer Protection, is leaving the Commission on December 31, 2012 to return to the Georgetown University Law Center.

On November 21, 2012, the UK Supreme Court handed down a judgment in The Rugby Football Union vs. Consolidated Information Services Limited (Formerly Viagogo Limited), a case addressing the application of Article 8 of the EU Charter of Fundamental Rights (Protection of Personal Data) in the context of court orders seeking to disclose the identities of alleged wrongdoers.

On November 9, 2012, a federal District Court in Washington certified a national class and a Washington state sub-class in an action alleging that Papa John’s International, Inc. (“Papa John’s”) violated the Telephone Consumer Protection Act (“TCPA”) by sending unsolicited text messages advertising its pizza products. The court determined that plaintiffs had standing and satisfied all other requirements for class certification.

On October 30, 2012, the U.S. District Court for the Southern District of California ruled that an opt-out confirmation text sent by Citibank (South Dakota), N.A. (“Citibank”) did not violate the Telephone Consumer Protection Act (“TCPA”). Under a “common sense” interpretation, the court determined that Citibank’s opt-out text does not demonstrate the type of invasion of privacy the TCPA seeks to prevent.

On August 23, 2012, the United States Court of Appeals for the Sixth Circuit held in Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co. that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy’s computer fraud endorsement.

In recent months we have seen a dismissal and two settlements in class action suits alleging violations of the Telephone Consumer Protection Act (“TCPA”) by companies that used text messaging as part of advertising campaigns. The TCPA is a federal privacy law that imposes restrictions on telephone solicitations, including telemarketing calls and text messages.

As reported in BNA’s Privacy & Security Law Report,on June 25, 2012, a federal district court in California ruled that the California Supreme Court’s 2011 Pineda decision, which held that requesting and recording zip codes during credit card transactions violates the state’s Song-Beverly Credit Card Act, applies retrospectively to OfficeMax’s collection of zip codes from its customers. The Plaintiffs in Dardarian v. OfficeMax had filed a class action lawsuit against OfficeMax over the company’s collection of ZIP code information from customers at the point of sale, a practice that OfficeMax ended the day the Pineda decision was handed down.

As reported in BNA’s Privacy & Security Law Report, on May 4, 2012, the United States District Court for the Southern District of California granted plaintiffs’ motion for class certification in an action against IKEA U.S. West, Inc. (“IKEA”) under the Song-Beverly Credit Card Act of 1971 (the “Song-Beverly Act”). The suit alleges that IKEA violated the Song-Beverly Act by requesting that cardholders provide their ZIP codes during credit card transactions, and then recording that information in an electronic database. The Court found that the class definition was not overbroad and that IKEA’s practice of requesting ZIP codes demonstrated common questions of law best resolved through a class action.

On April 5, 2012, social media giant Twitter, Inc. (“Twitter”) filed a civil lawsuit against spammers and makers of spamming software claiming violations of Twitter’s user agreement and various California state and common laws. Borrowing from the popular term for unsolicited email messages, Twitter’s complaint describes “spam” on Twitter as “a variety of abusive behaviors” including “posting a Tweet with a harmful link … and abusing the @reply and @mention functions to post unwanted messages to a user.” The suit alleges that certain defendants violated Twitter’s Terms of Service, which prohibit “spam and abuse,” by distributing software tools “designed to facilitate abuse of the Twitter platform and marketed to dupe customers into violating Twitter’s user agreement.” Other defendants allegedly operated large numbers of automated Twitter accounts through which they attempted to “trick Twitter users into clicking on links to illegitimate websites.”

The American Bar Association’s (“ABA’s”) House of Delegates adopted a non-binding resolution urging courts to consider foreign data protection and privacy laws when resolving discovery issues. The full text of the resolution is as follows:

“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”

On February 16, 2012, the European Court of Justice held in the SABAM vs. Netlog case (C-360/10) that imposing an obligation on social networks to install a “general filtering system” to prevent all users from sharing copyrighted music is disproportionate to the extent that such filters may infringe on user privacy rights or block lawful communications. SABAM, a Belgian copyright association, had filed an injunction against social network provider Netlog that would have required Netlog to install filtering systems to prevent copyright infringements by Netlog users. The Belgian court deciding on the injunction requested a preliminary ruling from the ECJ.

On December 12, 2011, the United States Court of Appeals for the Third Circuit affirmed a decision that employees of Ceridian Corporation's (“Ceridian's") customers did not have standing to sue Ceridian after the payroll processing firm suffered a data breach.

In December 2009, a hacker may have gained access to personal and financial information of Ceridian’s customers, including names, addresses, Social Security numbers, dates of birth and bank account information. Although it is not known if the hacker read, copied or understood the data, Ceridian sent notification letters to affected individuals informing them of the breach and offering to provide one year of complimentary credit monitoring and identity theft protection.

On October 27, 2011, the United States District Court for the Northern District of California dismissed claims that Facebook misappropriated users’ names and likenesses in promoting its “Friend Finder” feature. Friend Finder identifies potential “friends” for a Facebook user by matching his or her email contacts with users already registered with Facebook, then presenting the user with friend suggestions. Facebook promoted the feature by displaying the names and profile photos of current friends as examples of users who had found friends with Friend Finder.

On October 13, 2011, the Securities and Exchange Commission Division of Corporation Finance issued disclosure guidance (“Guidance”) regarding cybersecurity matters and cyber incidents. While the Guidance does not change existing disclosure requirements, it does add specificity to existing requirements. In some respects, that specificity is helpful, but the Guidance fails to take into account the uncertainty that inevitably accompanies efforts to assess and disclose cybersecurity matters and incidents.

Read a detailed summary of the Guidance and analysis regarding ...

Last month, two New Jersey judges issued opposing decisions in class action lawsuits regarding merchants’ point-of-sale ZIP code collection practices. The conflicting orders leave unanswered the question of whether New Jersey retailers are prohibited from requiring and recording customers’ ZIP codes at the point of sale during credit card transactions.

On September 28, 2011, a federal court in Illinois held that West Publishing Company (“West”) had not violated the Driver’s Privacy Protection Act (“DPPA”) by reselling driver’s license information obtained from state DMVs.  The court held that (1) the DPPA creates a federal private right of action permitting individuals like the plaintiffs to bring their class action suit, but (2) the lower court’s dismissal for failure to state a claim was proper.

Following the U.S. Supreme Court’s ruling in Sorrell v. IMS Health, Thomas Julin, partner at Hunton & Williams LLP who represented IMS Health in the case, closely studied the Court’s decision to assess its implications, including with respect to other forthcoming legislation.  In an interview with Marty Abrams, President of the Centre for Information Policy Leadership, during the Centre’s First Friday Call on September 9, 2011, Julin discussed the close parallels between the law invalidated in Sorrell v. IMS Health and proposed federal regulation of behavioral ...

Over the past several weeks, online tracking practices involving the use of Flash cookies and ETags have been the subject of new research studies, class action lawsuits and significant media attention.

On September 6, 2011, a bankruptcy court approved an agreement between bankrupt bookseller Borders Group, Inc. (“Borders”) and Next Jump, Inc., (“Next Jump”) regarding Next Jump’s alleged trademark infringement and unauthorized use of Borders’ customer information.  Next Jump stipulated that it will not communicate with persons on Borders’ customer list, and that it would remove the Borders name and marks from websites that Next Jump owns or operates.

As reported in the Hunton Employment & Labor Perspectives Blog:

The EEOC recently released an informal discussion letter suggesting that employers may be obligated to do more than just maintain a separate file for employee medical records, especially when those records are in an electronic format. Both the Americans with Disabilities Act of 1990 (“ADA”), as amended, and the Genetic Information Non-Discrimination Act of 2008 (“GINA”) require employers to maintain a confidential medical record, which is separate from the employee’s other personnel file(s), for information about the employee’s medical conditions, medical history or “genetic information.” The statutes do not, however, specify how such records are to be maintained or what level of security must be in place to protect the confidentiality of medical or genetic information.

A putative class action complaint filed on June 22, 2011, in the United States District Court for the Northern District of California alleges that the popular cloud-based storage provider Dropbox, Inc. failed to secure users’ private data or to notify the vast majority of them about a data breach.  According to the complaint, Dropbox announced in a blog post on its website that it had “introduced a bug” on June 19, 2011, which allowed users logged in to its system to log into other users’ accounts and access those users’ data stored on Dropbox.  The complaint further claims that Dropbox did not notify most, if not all, of its 25 million users that their information had been compromised.  The complaint defines the plaintiff class as all current or former Dropbox users as of June 19, 2011, whose accounts were breached.

On June 23, 2011, in a 6-3 decision, the United States Supreme Court ruled in IMS Health Inc. v. Sorrell that a Vermont law prohibiting the sale of prescriber-identifiable data to drug companies was an unconstitutional violation of the First Amendment right to free speech.  Thomas Julin, a partner at Hunton & Williams LLP, represented IMS Health in this case.  The Supreme Court’s ruling affirmed the holding of the U.S. Court of Appeals for the Second Circuit, resolving a split with the First Circuit (which upheld a similar law in New Hampshire), and likely preventing the enactment of similar restrictive laws across the country.

On June 15, 2011, Senator Al Franken (D-MN) and Senator Richard Blumenthal (D-CT) introduced the Location Privacy Protection Act of 2011 (the “Act”).  As we reported previously, Senator Franken is chairman of the newly-created Senate subcommittee on Privacy, Technology and the Law.   In his press release, Senator Franken explained that the Act is designed to “close current loopholes in federal law” while giving customers the ability to learn about and prevent the collection of their location information.  The Act would apply only to non-government entities and would not impact law-enforcement activities.  At a May 10, 2011 hearing, both Google and Apple were questioned about their privacy practices, and Franken subsequently challenged them to require their application developers to adopt clear and understandable privacy policies.

On June 9, 2011, two plaintiffs filed a class action complaint against Google in the United States District Court for the Southern District of Florida.  The complaint alleges that Google’s Android phone “engaged in illegal tracking and recording of [p]laintiffs’ movements and locations … without their knowledge or consent” and that Google violated the Computer Fraud and Abuse Act and Florida statutory and common law by failing to inform Android users that their movements were being tracked and recorded through their phones.

On May 27, 2011, a class action complaint was filed in the United States District Court for the Northern District of California against Google and its recently acquired subsidiary, Slide, alleging that they violated the Telephone Consumer Protection Act (“TCPA”) when they sent text messages to people’s cell phones without first obtaining their consent.

In a pair of lawsuits filed against Twitter, Inc. and American Express Centurion Bank, plaintiffs in a California federal court are seeking class-action status to assert claims that the defendants violated the Telephone Consumer Protection Act (“TCPA”) by sending each plaintiff a single text message to confirm that they had processed the plaintiff’s request to opt-out of receiving further text messages.  This litigation highlights a potential vulnerability in the mobile marketing programs of companies that have not fully considered how telemarketing law should inform their implementation of the Mobile Marketing Association’s U.S. Consumer Best Practices (the “MMA’s Best Practices”), the authoritative compilation of policies enforced by the major wireless carriers.

On May 31, 2011, an Order was filed in the District Court for the Northern District of California granting final approval of the Google Buzz class action settlement and cy pres awards for organizations focused on Internet privacy policy or privacy education. Pursuant to the Order, the court adopted the Google Buzz settlement agreement and certified the proposed settlement class, which includes “all Gmail users in the United States presented with the opportunity to use Google Buzz through the Notice Date.” The court also approved the following list of organizations and ...

On May 11, 2011, in Thomas Robins v. Spokeo, Inc., the United States District Court for the Central District of California granted in part and denied in part defendant Spokeo, Inc.’s motion to dismiss claims that it violated the Fair Credit Reporting Act (“FCRA”).  The ruling allows the plaintiff to continue his action against Spokeo, a website that aggregates data about individuals from both online and offline sources.

As we previously reported, Korea's long-awaited Personal Information Protection Act (“PIPA”) was enacted on March 29, 2011.  The law generally requires an individual’s informed consent for the collection, use or disclosure of any personal information by any person, company or government agency.  Kwang Hyun Ryoo from Bae, Kim & Lee LLC in Korea has provided a detailed analysis of the law.

On April 26, 2011, the United States Supreme Court heard oral argument in Sorrell v. IMS Health, a case concerning the constitutionality of a Vermont law that restricts access to prescription drug records.  Laws enacted by New Hampshire, Maine and Vermont prohibit pharmacies from selling prescriber-identifiable information in prescription records to third parties for marketing purposes.  The Supreme Court seeks to resolve a circuit split that resulted from legal challenges to the statutes in all three states.  Thomas Julin, partner at Hunton & Williams LLP, represents IMS Health ...

On April 11, 2011, the United States District Court for the Northern District of California declined to dismiss four of the nine claims in a class action lawsuit filed against RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites.  The suit stems from a December 2009 security breach caused by an SQL injection flaw that resulted in the exposure of unencrypted user names and passwords of approximately 32 million RockYou users.  RockYou subsequently fixed the error and acknowledged in a public statement that “one or more individuals had illegally breached its databases” and that “at the time of the breach, the hacked database had not been up to date with industry standard security protocols.”  After receiving notification of the security breach from RockYou in mid-December, on December 28, 2009, a RockYou user who had signed up for a photo-sharing application filed a complaint seeking injunctive relief and damages for himself and on behalf of all other similarly-situated individuals.

As reported in Hunton & Williams' Employment & Labor Perspectives blog:

An employer who allegedly posted to an employee’s Facebook and Twitter accounts without her consent may face liability for its actions, according to a federal judge in Illinois.  The case is Maremont v. Susan Fredman Design Group, Ltd., in the U.S. District Court for the Northern District of Illinois (2011 U.S. Dist. LEXIS 26441, March 15, 2011).

The Plaintiff, Jill E. Maremont, worked as the Director of Marketing, Public Relations and E-Commerce for an interior designer and her company, Susan Fredman and the Susan Fredman Design Group, Ltd. (Defendants).  Maremont contends she created a “popular personal following” on Facebook and Twitter, and she also created a company blog called “Designer Diaries: Tales from the Interior.”

On March 21, 2011, the French Data Protection Authority (the “CNIL”) published its decision to fine Google €100,000 for violating the French Data Protection Act.

In 2009, the CNIL inspected Google’s geolocation service (“Street View”), which revealed that Google had collected huge quantities of undeclared personal data (e.g., navigation data, email content, logins and passwords) through Wi-Fi connections accessed by its Street View cars.  Google responded that the personal data had been collected by mistake, and promised to stop the Wi-Fi data collection.

As reported in Hunton & Williams' Employment & Labor Perspectives blog:

A commonly used pre-employment screening method--conducting credit checks--has drawn increased scrutiny in recent months.  Legislatures at the state and federal levels are considering bills that would limit employer use of credit checks.  Moreover, two recently-filed lawsuits, one of which was filed by the EEOC, seek to challenge the use of pre-employment credit checks in hiring decisions. 

On December 14, 2010, the United States Court of Appeals for the Sixth Circuit ruled in United States v. Warshak that a “subscriber enjoys a reasonable expectation of privacy in the content of emails” stored, sent or received through a commercial internet service provider (“ISP”).  According to the court, the government must have a search warrant before it can compel a commercial ISP to turn over the contents of a subscriber’s emails.

In 2008, a jury sitting in the Southern District of Ohio convicted defendants Steven Warshak, Harriet Warshak and TCI Media, Inc. of various crimes relating to defrauding customers of Berkeley Premium Nutraceuticals, Inc.  Before trial, Warshak’s motion to exclude thousands of emails that the government obtained from his ISP was denied.  The defendants appealed their convictions, arguing that the government’s warrantless seizure of Warshak’s private emails violated the Fourth Amendment’s prohibition on unreasonable searches and seizures.

The United States Court of Appeals for the Seventh Circuit has rejected a defendant’s argument that the Wiretap Act’s prohibition on interception of communications applies only to an acquisition that is contemporaneous with the communication.  In United States v. Szymuszkiewicz, No. 07-CR-171 (7th Cir. Sept. 9, 2010), the defendant faced criminal charges under the Wiretap Act for having implemented an automatic forwarding rule in his supervisor’s Outlook email program that caused the workplace email server to automatically forward him a copy of all emails addressed to his supervisor.  The defendant argued that (i) the forwarding happened only after the email arrived at its intended destination and was thus not contemporaneous with the communication, (ii) the Wiretap Act prohibits only unauthorized contemporaneous interceptions (i.e., only interceptions of communications “in flight” as opposed to communications at rest or in storage), and (iii) only the Stored Communications Act applies to unauthorized access to non-contemporaneous communications.

Breaking -- The Supreme Court has issued its decision in City of Ontario, California v. Quon, ruling unanimously that the police department did not violate an officer's Fourth Amendment rights when supervisors reviewed text messages transmitted using a work-issued pager.  In reaching this decision, the Court did not resolve whether the officer had a reasonable expectation of privacy, rather the Court based its decision on a determination that the search itself was reasonable.

Read our previous coverage of this case.

On May 26, 2010, the court in Crispin v. Christian Audigier, Inc. quashed portions of subpoenas seeking the disclosure of private messages sent through Facebook and MySpace.  The court left open the question of whether Crispin’s wall postings and comments should be disclosed pending a more thorough review of his online privacy settings.

Rejecting a defense based on compliance with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), a federal court in Ohio denied a medical clinic’s motion to dismiss invasion of privacy claims following the clinic’s disclosure of medical records to a grand jury.  In Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010), plaintiff Turk had been under investigation for illegally carrying a concealed weapon and for having a weapon while under disability in violation of an Ohio law which provides that “no person shall knowingly acquire, have, carry, or use any firearm” if “[t]he person is drug dependent, in danger of drug dependence, or a chronic alcoholic.”  Defendant Cleveland Clinic, where Turk was a patient, received a grand jury subpoena requesting “medical records to include but not be limited to drug and alcohol counseling and mental issues regarding James G. Turk.”  When the Cleveland Clinic disclosed Turk’s medical records in response to this subpoena, Turk sued the clinic for violating his privacy rights.

The U.S. Supreme Court has set oral argument for April 19, 2010, to review the Ninth Circuit’s 2008 decision on employee privacy in Quon v. Arch Wireless Operating Co.  Although Quon concerns the scope of privacy rights afforded to public employees under the Fourth Amendment, the case also has forced private employers to renew their focus on ensuring robust and consistent enforcement of employee monitoring policies.  Unlike government employers, private employers are not subject to the Fourth Amendment’s prohibition against unreasonable searches and seizures; instead, they must comply with federal wiretap statutes and state law.  In practice, however, the “reasonable expectation of privacy” test courts apply to state common law privacy claims that govern private employers is virtually identical to the Fourth Amendment test.  Accordingly, the Supreme Court’s review of the Constitutional test likely will affect how courts view privacy claims brought against private employers.

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers.  The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

The U.S. Supreme Court announced Monday that it will review the Ninth Circuit’s 2008 decision on employee privacy in Quon v. Arch Wireless Operating Co.  In Quon, the Ninth Circuit considered whether the Ontario, California police department and the City of Ontario violated a police officer’s privacy rights by reviewing private text messages the officer sent using a two-way pager issued by the police department.  The police officer had on several occasions exceeded the limit on the text messages provided by the department-paid plan.  Each time, the officer paid for the overage without anyone reviewing his text messages.  When the officer again exceeded the limit, his supervisor requested from the service provider and subsequently reviewed transcripts of the officer’s messages to determine if the messages were work-related.

On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program.  In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed.  The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program.  The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC's First Safe Harbor Enforcement Action.

The Federal Trade Commission (“FTC”) has secured a temporary restraining order against a company that allegedly falsely claimed to have self-certified to the EU/U.S. Safe Harbor Program.  One count of the FTC's complaint claims that the company (named Balls of Kryptonite, LLC) misled consumers by inaccurately representing that it had self-certified to the U.S. Department of Commerce that it was Safe Harbor compliant.  While the FTC has not alleged a substantive violation of the Safe Harbor, this case is significant for two reasons.  First, it marks the first time the FTC has brought an enforcement action with respect to the Safe Harbor Program.  The court order prohibits the defendants from misrepresenting the extent to which they “are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.”  Second, the FTC acted in concert with the UK Office of Fair Trading after consumers in the UK registered complaints with the FTC using a website established by 25 international consumer protection agencies to facilitate global consumer protection efforts.  This is the first time the FTC has used the U.S. SAFE WEB Act of 2006 to enforce consumer protection regulations against a U.S. company operating exclusively outside the United States.

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Plaintiff Joel Ruiz brought a putative class action against Gap, Inc. and its service provider Vangent, Inc. after a thief stole a laptop computer from Vangent containing unencrypted Social Security numbers and other personal information of Ruiz and approximately 750,000 other Gap job applicants.  Shortly after the theft, Gap notified Ruiz and the other applicants of the breach and offered them 12 months of free credit monitoring and fraud assistance.  Ruiz sought damages under various theories, including negligence (failure to exercise due care to protect the data) and breach of contract (breach of the security provisions of Gap’s contract with Vangent, under the theory that Ruiz was a third-party beneficiary of the contract).