Scott & Scott | Software Compliance Counsel
Scott & Scott Scott & Scott


Julie Machal-Fulks Archives

August 2, 2011

New Texas Healthcare Privacy Law

Starting on September 1, 2012, businesses handling electronic protected health information (ePHI) in Texas will be subject to more stringent data privacy and security regulations and harsher penalties than those imposed by federal HIPAA regulations. Among other things, the new bill, signed into law in June 2011 by Governor Rick Perry, expands on the HIPAA definition of a “covered entity.”

Under the new law, “covered entities” are broadly defined as any organization that handles electronic health records. This expanded definition has the potential to impact many organizations that are not currently “covered entities” under HIPAA, such as SaaS and cloud providers who market to health care organizations. In addition to complying with HIPAA requirements, covered entities are required to provide custom training sessions within 60 days of hire. In addition, the time period for responding to patients’ written request for copies of EHR is reduced from 30 days under HIPAA to 15 days. The new law also includes an explicit ban on selling patient records for profit, and a breach-notification requirement similar to that recently enacted under the Health Information Technology for Economic and Clinical Health Act (HITECH).

In addition to the more stringent regulations, there are harsher civil penalties available under the new law. Depending on the degree of intent exhibited in committing a violation, penalties can range from $1,500 to $1.5M per year for disclosure of PHI. The monetary penalties are in addition to any penalties levied by the federal government under HIPAA/HITECH, and they can also include license revocations.

Although the law will not be effective until September 2012, I recommend taking time this year to revisit your organization’s status under the new law and to determine if your current compliance policies and procedures are sufficient to address any new requirements.

September 20, 2010

HP Sues Ex-CEO to Keep Him from Joining Oracle

On September 7, 2010, Hewlett-Packard sued its former CEO, Mark Hurd, in California state court for alleged breach-of-contract and threatened misappropriation of trade secrets. HP is seeking to keep Hurd from joining rival Oracle, which recently offered to hire Hurd as a top-level executive following his publicized departure from HP over claims that he altered expense reports to cover up a personal affair. (A copy of the complaint is available here.)

Trade secrets-related disputes often follow the departures of executives from the companies they lead, especially when, as in this case, the departure is less-than-amicable. However, non-compete agreements are usually very difficult to enforce in court to the extent that they can be construed as an unreasonable restraint on a former employee’s ability to find a job. Moreover, in California, almost all non-compete agreements are void by operation of state law. Even if the agreement HP is seeking to enforce is not a non-compete agreement on its face, if the effect of HP’s requested remedy would be the same as traditional non-compete agreement, it likely will be extremely difficult for it to achieve the result it allegedly is seeking.

However, both sides of this dispute clearly have heavy war chests from which to pay their attorneys, so what seems like a predictable result probably will end up being anything but predictable. Nevertheless, to the extent that any business with trade secrets needed one, the case is a good reminder of the importance of taking a holistic approach to the protection of those assets. In many cases, restrictive covenants in employment contracts simply will not get the job done. With some employees, like Hurd in HP’s case, it may be next to impossible to defend against some kinds of misappropriation. In those cases it becomes all the more important to incentivize compliance in the terms of a well crafted severance package. And, where doubt arises, as always, consult with knowledgeable counsel in order to determine what will and will not be enforceable if the relationship turns sour.

Late-breaking news: According to on Monday, H-P settled its lawsuit against Mark Hurd. As part of the settlement, Hurd will waive rights to 340,000 shares of H-P stock

August 10, 2010

Beware “Document Soup” Software Licensing

On July 22, 2010, software publisher AccuSoft sued Northrop Grumman Systems in federal court for breach of contract, copyright infringement and trademark infringement related to Northrop’s use of AccuSoft’s ImageGear and ImageTransport software. Northrop allegedly used and integrated AccuSoft’s products in the development of a paperless records information system it developed for the U.S. military. According to AccuSoft, Northrop failed, in particular, and in violation of applicable software license agreements, to provide the required periodic reporting regarding the number of end-user licenses for the AccuSoft products that Northrop had distributed. AccuSoft did not specify a damages claim in its complaint, though it did state that the unauthorized software distributions number in the “hundreds of thousands,” meaning that a decision in its favor potentially could entail a multi-million dollar penalty against Northrop.

Northrop has yet to answer or to respond to the lawsuit, so its position with regard to AccuSoft’s factual claims has yet to be determined. However, the facts presented in the complaint appear to reflect the kind of dispute that often arises when one or both parties to a software licensing relationship do not have an accurate grasp of controlling license agreements. Especially with many larger enterprises, the business units responsible for software license negotiation and acquisition may lack sufficiently open lines of communication with production departments, resulting in internal confusion regarding what agreements have been signed, what agreements remain in effect, and what those agreements mean for the company’s day-to-day operations.

Compounding the confusion is the fact that larger software license transactions often involve the execution of a master license or services agreement, to which other documents specifying discrete product or service orders are attached, as executed, as schedules or exhibits. Over time, the resulting “document soup” can become nearly impossible to manage unless the company’s has been diligent, in the interim, in tracking all material changes or amendments to the master agreement, all exhibits or schedules that have been executed since the beginning of the relationship, and the effects, if any, of those later instruments on earlier agreements.

Where businesses fail to take pro-active, enterprise-wide, contract-management steps at an early stage, disputes such as the Accusoft v. Northrop litigation become almost inevitable, especially in an age where many publishers, such as Microsoft, IBM and Oracle, to name a few, are proceeding with software audit initiatives, in some cases across their entire customer bases, in order to ensure compliant software use and licensing.

Businesses with a heavy reliance on software and technology licensing cannot afford not to work closely with counsel in reviewing the terms of all agreements that may affect their ability to use that software or technology in the way that their customers demand.

August 6, 2008

In Copyright Litigation, Availability of Attorney’s Fees Awards Can Cut Both Ways

A recent opinion written by Judge Richard Posner for the 7th Circuit highlights the importance of carefully considering some of the risks of loss for plaintiffs in proceeding with a copyright infringement lawsuit.

In Eagle Services Corp. v. H2O Industrial Services, Inc., the plaintiff, Eagle, filed suit after several of its employees, who left to form H2O, used copies of Eagle’s safety manual in operations at the new business. The manual in question consisted largely, if not entirely, of quotations from OSHA regulations, making the scope of the copyright limited to the compilation as a whole. Instead of pursuing an award of statutory damages under the Copyright Act, Eagle argued that it should be awarded all the profits that H2O made in its business before it created its own manual, because, according to Eagle, without a manual H2O could not have provided any services in its industry without violating OSHA regulations. Though the trial court allowed Eagle to present its case to the jury, at the close of its evidence, H2O moved for judgment in its favor as a matter of law, which the court granted, based on Eagle’s failure to prove that OSHA requires the companies it regulates to maintain a safety manual. However, the trial court refused to award H2O, as the prevailing party, its reasonable attorney’s fees on the ground that the suit was not frivolous and had not been filed in bad faith. H2O appealed the denial of attorney’s fees.

The 7th Circuit reversed the trial court’s decision. In his opinion, Judge Posner noted that the suit “could not have been brought in good faith,” because Eagle never had any reasonable basis to believe that the state would have shut down H2O’s operations for want of a safety manual, especially in light of the fact that, even if a manual were required, the applicable regulations would have given H2O an opportunity to procure one. Judge Posner further noted, colorfully:

So we have a suit brought almost certainly in bad faith, a frivolous suit, a suit against a newer and probably smaller and weaker firm. Under any standard we know for shifting attorney's fees from a losing plaintiff to a winning defendant, H2O (and the individuals joined as defendants along with it) would be entitled to an award of attorney's fees.

Judge Posner also noted that in copyright cases, prevailing defendants are not required to prove that the plaintiffs’ suit was frivolous in order to prove their entitlement to an award of attorney’s fees. According to Judge Posner, if there is any asymmetry in the analysis regarding whether to award attorney’s fees in copyright cases, that asymmetry actually tips in favor of prevailing defendants:

The successful assertion of a copyright confirms the plaintiff's possession of an exclusive, and sometimes very valuable, right, and thus gives it an incentive to spend heavily on litigation. In contrast, a successful defense against a copyright claim, when it throws the copyrighted work into the public domain, benefits all users of the public domain, not just the defendant; he obtains no exclusive right and so his incentive to spend on defense is reduced and he may be forced into an unfavorable settlement.

Though H2O’s success in this case did not result in the enlargement of the public domain, that fact did not rebut the basic presumption affirmed by Judge Posner that, in most cases, awards of attorney’s fees to prevailing parties are presumed to be appropriate.

This case serves as a useful reminder to businesses considering whether to file suit over infringement of its copyrighted works. The costs of federal litigation are always high, and a loss at trial could mean that the plaintiff would be out not only its own attorney’s fees, but also those of its adversary.

June 18, 2008

For Most U.S. Residents, Internet E-mail Likely is Safe from Civil Legal Discovery by Third Parties

A federal court recently issued an opinion indicating that, at least for U.S. residents, public, third-party-hosted and Internet-based e-mail may be the virtual world’s equivalent of a Swiss bank account for personal information. In In re Subpoena Duces Tecum to AOL, LLC, the U.S. District Court for the Eastern District of Virginia considered a subpoena issued by lawyers for State Farm to AOL, requesting copies of e-mails from the accounts of two non-party witnesses in litigation pending in a different jurisdiction. The Virginia magistrate judge granted the witnesses’ motion to quash the subpoena, and in its opinion, the court upheld the magistrate’s decision, citing the U.S. Electronic Communications Privacy Act (ECPA).

Among other things, the ECPA prohibits providers of “electronic communication services” from “knowingly [divulging] to any person or entity the contents of a communication while in electronic storage by that service.” The ECPA also includes a number of exceptions, most notably including several directed to governmental and law enforcement authorities. State Farm argued that the terms of one exception were broad enough to include within their scope court orders issued pursuant to discovery requests in civil litigation, but the district court, citing to prior precedent, disagreed and allowed the magistrate’s order to stand.

This case and others indicate that one consequence of the ECPA has been to provide an incentive to opt, whenever feasible, for third-party hosted e-mail, rather than privately hosted e-mail, which is not included within the scope of the ECPA’s protections. Potentially restrictive terms of service and third-party account control may outweigh other considerations, but where it is important, for whatever reason, to avoid discovery of electronic communications through legal discovery, publicly hosted e-mail appears to include certain advantages.

May 29, 2008

New Jersey Court Determines Internet Users Have a Constitutional Right to Privacy

The Supreme Court of New Jersey recently became one of the first courts in the nation to determine that Internet users have a Constitutional right to privacy under Article I of the New Jersey Constitution. Because of the ruling, a grand jury warrant will be required before law enforcement officials can access personal information about the Internet users.

The Court considered the issue after Shirley Reid was charged with second-degree theft for allegedly hacking into her employer’s computer system from her home computer. When her employer asked Comcast for the identity of the person who accessed the employer’s computer network, Comcast refused to do so without a subpoena. Investigators then obtained a municipal court subpoena and served it on Comcast. Comcast complied with the subpoena and identified Reid as the person who accessed the employer’s network.

A New Jersey superior court suppressed the evidence based on the fact that investigators did not obtain a grand jury subpoena. A state appellate court agreed, and the Cape May County Prosecutor’s Office appealed to the New Jersey Supreme Court, which unanimously upheld the decision. The Prosecutor’s Office has indicated that it intends to continue pursuing the case by requesting the appropriate grand jury subpoena.

Although the United States Supreme Court concluded that there is no federal Constitutional right to privacy on the Internet, the New Jersey law will take precedent in New Jersey cases involving Internet privacy.

May 14, 2008

The Use of Pricing Schedules in Managed Service Provider Agreements

Many managed service providers incorporate their pricing and payment terms into their Master Services Agreements or their Service Level Agreements. While it is important to ensure that the financial arrangements are clearly delineated in writing to ensure that everyone’s expectations are clear, it is equally important to allow Managed Service Providers (“MSPs”) to adjust their prices when circumstances justify an increase.

One way to allow for flexibility is to extract the pricing information from the Master Services Agreement or Service Level Agreement and include a pricing addendum to the agreements. With a separate pricing document, an MSP can adjust the price without revising an entire MSA or SLA. Because many agreements span several years, MSPs should protect themselves by reducing the possibility that a price increase will result in a renegotiation of all the MSP agreements. For example, a managed services client who is presented with a revised agreement containing new pricing and a description of services identical to the original agreement may insist on renegotiating the scope of services provided. However, if the original agreement contains a provision allowing for periodic increases in pricing, and if the pricing document is separate from the core agreements, the MSP may be able to increase its prices, send an updated pricing addendum, and avoid renegotiating the terms of the rest of the agreement.

It is important to consider whether to allow your clients to terminate the agreement in the event of a price increase. Many MSPs want to use price increases as a way to jettison underperforming clients. To achieve that objective, these MSPs allow their customers to terminate the agreement if the MSP increases the price. Others want to have the right to increase the price by a certain percentage without the possibility of cancellation. Like other components of an agreement, the pricing provisions should be specifically tailored to meet the business objectives of each MSP. Experienced counsel can assist MSPs with using documents to reduce risks and increase client satisfaction.

April 23, 2008

Summary Judgment Difficult to Obtain for Claims of Trademark Design Infringement

A recent opinion from the Southern District of California highlights the difficulties that a trademark owner can face when seeking summary judgment on a claim that a defendant infringed its design trademarks. HIT Entertainment, Inc., et al., v. National Discount Costume Co., Inc., et al., (“NDC”) stems from a case filed in the mid-1990s against NDC, a manufacturer and distributor of costumes. The plaintiffs then and in the current litigation alleged, in part, that NDC had engaged in the creation and sale of costumes based on their trademarked designs in certain children’s characters, such as Barney the Dinosaur. (In the current litigation, additional plaintiffs allege that NDC more recently infringed trademarked designs in Bob the Builder and Thomas the Tank Engine.) Though the parties to the older case settled out of court and stipulated to a permanent injunction, the current plaintiffs’ investigation revealed that NDC continued to make and distribute costumes based on Barney and the other characters. The plaintiffs sought and obtained a preliminary injunction and contempt sanctions against the defendants in the amount of $29,689.75, and they then moved for summary judgment on their claims of trademark and copyright infringement.

In its opinion, the court granted that part of the plaintiffs’ motion regarding claims that the defendants were liable for infringing the plaintiffs’ word trademarks in the names of the characters at issue. However, the fact-intensive nature of the infringement inquiry with regard to trademarked designs led the court to deny that part of the plaintiffs’ motion. While the plaintiffs attached evidence regarding the strength of the marks at issue; the similarity between the allegedly infringing costumes and the marks; and the defendants’ intent to allege the marks, the court noted that no compelling evidence was presented regarding the proximity of the costumes to the products and services sold under the marks; the presence of any actual confusion in the marketplace; any similarity in the marketing channels used for the allegedly competing products; the degree of care likely to be exercised by potential purchasers; or the likelihood of expansion of the relevant product lines. Courts typically look to all of the above factors in determining whether there is a likelihood of confusion sufficient to support a claim of infringement. In the absence of compelling evidence regarding so many of the factors, the court deferred to the Ninth Circuit’s admonishment that “district courts should grant summary judgment motions regarding the likelihood of confusion sparingly, as careful assessment of the pertinent factors that go into determining likelihood of confusion usually requires a full record.”

Trademark litigation can be littered with potential pitfalls for parties on wither side of the aisle. It is important to consider all of the factors relevant to an infringement inquiry, both when making the decision to file a claim and when making strategic decision during the course of the lawsuit.

April 3, 2008

What Constitutes a “Copy” of Software Under Copyright Law?

Software auditors almost always try to find ways to maximize the number of allegedly infringing software “copies” at issue in an audit engagement. It is typical for the Business Software Alliance (BSA), the Software & Information Industry Association (SIIA), and other software publishers to demand that their small-to-medium-sized business targets disclose all installations of relevant software products on all of the computers owned by the target, which number the auditors then use in determining how much money they are going to demand in settlement to keep the matter from going to court. This is perhaps unsurprising behavior by the auditors, because it clearly gives them more leverage during settlement negotiations. However, according to more than one federal court, it may not be a correct interpretation of federal law.

In FM Industries, Inc. v. Citicorp Credit Services, Inc., the United States District Court for the Northern District of Illinois determined the existence and extent of infringement of a software program by a business whose license to use the program had expired. In the case, the business at issue claimed that it its use was non-infringing because it initially installed the software with the consent of the publisher. The court rejected this argument, holding that “a user reproduces a program stored in his computer's hard drive merely by launching that program, thereby causing the computer to copy it to Random Access Memory.” The court also cited to a Ninth Circuit opinion in the case of MAI Systems Corp. v. Peak Computer, Inc., where the court there stated:

The district court's grant of summary judgment on MAI's claims of copyright infringement reflects its conclusion that a “copying” for purposes of copyright law occurs when a computer program is transferred from a permanent storage device to a computer's RAM. This conclusion is consistent with its finding, in granting the preliminary injunction, that: “the loading of copyrighted computer software from a storage medium (hard disk, floppy disk, or read only memory) into the memory of a central processing unit (“CPU”) causes a copy to be made. In the absence of ownership of the copyright or express permission by license, such acts constitute copyright infringement.” We find that this conclusion is supported by the record and by the law.

These opinions are at odds with the standard tactics employed by the BSA, the SIIA, Autodesk, and other software auditors. For example, when presented with information that a design firm has repurposed a CAD workstation to a reception desk or, in a perhaps more stark example, decommissioned the machine to a storage closet, the BSA would argue that any design or CAD software remaining on the machine’s hard drive remains relevant for audit purposes, and they would use any such installations as factors in calculating a settlement demand. However, according to the FM Industries and MAI Systems opinions, this methodology is flawed. A correct damages model would not count as “copying” the mere presence of copyrighted software on a hard drive. The relevant inquiry is whether that software is being used by loading it into a computer’s RAM.

When faced with a software audit demand from the BSA, the SIIA, or any other software publisher or industry representative, before disclosing any information regarding the software in use in your business’ computer network, it is important to consult with counsel to determine what is and what may not be within the scope of the audit.

March 25, 2008

FTC Deadline for Commenting on Behavioral Advertising Guidelines Extended Until April 11

Businesses that use behavioral marketing and advertising techniques may consider reviewing and commenting on the Federal Trade Commission’s (“FTC”) proposed guidelines. The guidelines are designed to provide consumers with more visibility into the behavioral advertising process, which the FTC recognizes can be very valuable.

The FTC’s guidelines are designed to address four primary concerns:
- greater transparency and consumer control;
- the need to prevent criminals from accessing data collected for behavioral advertising;
- ensuring that companies keep their privacy promises when changing their privacy policies;
- the collection of sensitive data, like medical records or children’s activities, for behavioral advertising.

According to the FTC, businesses could use the guidelines as a tool for self regulation. The FTC has extended the deadline for commenting on the guidelines until April 11. For the complete text of the proposed guidelines, visit Ferderal Trade Commission.

March 6, 2008

IT Departments Having Difficulty Finding Employees with Proficient Privacy and Security Skills

Network World recently published the results of a Computer Technology Industry Association (“CITA”) survey indicating that many businesses are in need of IT professionals with a variety of security and data privacy skills. Although approximately 75 percent of businesses identified security, firewall, and privacy skills as essential to the success of their organization, only about half of the businesses surveyed said they believed their employees possessed the necessary privacy and skills.

Many organizations are aware of the skills gaps in their IT departments and are planning to offer training or encourage employees to complete certification courses. However, the skills gaps could pose a problem for organizations that do not take corrective action soon enough. For instance, if a HIPAA-covered entity is aware that its security personnel are not adequately trained, and takes no steps to correct the deficiency, the organization is likely out of compliance with HIPAA requirements.

It is important for organizations to review their privacy and security policies, identify any risks, prioritize the corrective action, and implement solutions. Organizations that are struggling to find qualified candidates may consider using outside consulting services to assist with the privacy and security initiatives.

February 27, 2008

HIPAA Audits Will Increase in 2008

In 2008, the Centers for Medicare & Medicaid Services (CMS) announced that it entered into a contract with a PricewaterhouseCoopers to audit covered entities and ensure compliance with the HIPAA security standards. According to CMS, the initial round of audits will be directed at the hundreds of companies about which it has received complaints.

Although CMS has the authority to enforce the HIPAA security standards, for the last several years it has been focused on outreach and education rather than enforcement. This year, that focus will change, and CMS will audit 10-20 hospitals over the next 9 months. CMS indicates that it will not publish the names of the entities it audits.

If you are a covered entity under HIPAA, and you have not conducted an internal review of your HIPAA security policy and enforcement, you should consider consulting experienced counsel to guide you through the process.

February 19, 2008

Consumer Files $54 Million Lawsuit Against Best Buy for Lost Laptop

Raelyn Campbell bought a new laptop in 2006 from Best Buy for $800. She says she was also persuaded to purchase the $300 protection program. When her laptop needed repairs in 2007, she dropped it off at her local Best Buy. Best Buy apparently fabricated status updates each time Ms. Campbell called. Ultimately, Ms. Campbell learned that her laptop and all of its contents were lost.

Best Buy never explained what happened to the computer, but offered to give Ms. Campbell a $900 gift card for her trouble. Ms. Campbell rejected the offer and requested $2,100 in compensation. When she received no response, Ms. Campbell reported Best Buy to her local Attorney General’s office, and received a slightly higher offer. Ms. Campbell’s laptop contained thousands of dollars of music, and more importantly her private personal information, and her tax returns. Ms. Campbell never received a notice from Best Buy that her personal information may have been compromised.

Although Ms. Campbell realizes that it is unlikely she will recover millions of dollars for her lost laptop, she hopes she can get more information about what happened to her personal information.

February 13, 2008

Expedited Trial in Silicon Image vs. Analogix Matter

In 2007, Silicon Image filed a lawsuit against Analogix alleging, inter alia, that Analogix infringed Silicon Image’s copyright when it purportedly gained unlawful access to Silicon Image’s semiconductor software. Silicon Image also claimed that Analogix misappropriated Silicon Image’s proprietary register maps, and that Analogix encouraged existing and prospective customers to modify Silicon Image’s software for use that was outside the scope of Silicon Image’s software license agreements.

Although the United States District Court for the Northern District of California found that Silicon Image demonstrated a likelihood of success on its claim of misappropriation, the refused to grant a preliminary injunction. The judge expedited the trial to April 8, the judge scheduled an expedited trial for April 8.

The judge noted that Silicon Image may difficulty demonstrating that it protected its trade secrets. Companies that are trying to protect trade secrets and other intellectual property need to ensure that they are adequately policing their marks. Failure to properly protect intellectual property could jeopardize a company’s ability to seek recovery for infringement.

February 6, 2008

Autodesk Audit: The Importance of Serial Numbers

In many software audits, the auditing entity like the Business Software Alliance or the Software & Information Industry Association requires a dated proof of purchase to demonstrate when a license for a software product was acquired. However, in audits initiated by Autodesk, the serial number can play a crucial role in demonstrating ownership.

Autodesk products are typically upgraded frequently and Autodesk usually issues a new, unique serial number with each purchase. When responding to an Autodesk audit, the business that owns Autodesk products may elect to provide the serial numbers in lieu of the invoices. It is important to provide serial numbers for the versions of the products that are installed and in use as of the date of Autodesk’s letter. For instance, if a company upgraded a copy of AutoCAD ® 2000i to AutoCAD ® 2004, the company should not provide both serial numbers to Autodesk in response to the audit request.

It is also important to realize that Autodesk licenses are generally non-transferrable without Autodesk’s written permission. If an audited company is planning to produce a serial number for a product that was not obtained from an authorized Autodesk reseller, there is a strong likelihood that the company will not get credit for the license.

If you have been audited by Autodesk, please seek advice from experienced counsel before responding. For more information, please visit

January 11, 2008

Responding to Autodesk Audits

The BSA and SIIA are not the only organizations pursuing business for software copyright infringement. Though it is a member of both the BSA and SIIA, Autodesk, which manufactures the popular design software AutoCAD, often pursues audit targets on its own.

The audits begin much like those instituted by the BSA or SIIA. The target of Autodesk’s audit will receive a letter from a law firm representing Autodesk demanding the business’ cooperation in disclosing the number Autodesk installations on its network and the number of Autodesk licenses it owns, including serial numbers. The law firm will assert it has received information that indicates the business may have more installations of Autodesk software than it is licensed to use. The letter will go on to describe the various penalties associated with copyright infringement and it may threaten the business with civil litigation.

Targets who receive such letters should treat the matter very seriously. It is important to know your legal rights and protect your legal position before responding to a request for information from a software publisher who is trying to conduct an audit. Additionally, many companies who prepare their own responses to Autodesk without the benefit of counsel and before conducting a thorough investigation often receive an unexpectedly high settlement offer from Autodesk.

In many cases, Autodesk demands a settlement payment calculated as the MSRP of the allegedly unauthorized products installed on the business’ network multiplied by three. The multiplier, Autodesk argues, is the penalty for using unauthorized software and is assessed in lieu of proceeding with formal judicial resolution. The use of multipliers as an approximation of damages is a hotly contested issue.

When responding to Autodesk audit requests, companies should work with experienced counsel to thoroughly investigate the software usage on their computers, protect themselves by requesting agreement from Autodesk regarding the use of the materials that will be produced in the audit, and negotiate a resolution geared toward ensuring future compliance.

January 4, 2008

No FTC Opposition for Google’s Acquisition of DoubleClick

Despite the opposition posed by consumer advocacy and privacy groups, the Federal Trade Commission recently voted to close its investigation of Google’s proposed acquisition of DoubleClick. Opponents argued that combination of Google and DoubleClick’s data could be exploited and used to invade consumers’ privacy. The FTC considered the issue for more than a year, conducting public hearings and reviewing millions of pages of documents.

In reaching its decision, the FTC determined that the proposed transaction was not likely to harm competition or injure consumers. The FTC concluded that it did not have jurisdiction to block an acquisition for reasons not related to antitrust violations. It also determined that regulating the privacy requirements of only one company would likely harm competition, rather than encourage it.

To review the text of the FTC’s decision, click here:

December 5, 2007

Nevada Passes Data Encryption Law

Nevada recently passed a law requiring businesses to encrypt customers’ personal information during transmission of an electronic transaction. While other data protection laws require the shredding of records or the implementation of reasonable security measures to protect sensitive information, Nevada’s mandates use of encryption technology.

What is prohibited activity?

The Nevada law is brief: “A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” Under NRS 205.4742, encryption means the use of any protective or disruptive measure including, but not limited to cryptography, enciphering, encoding or a computer contaminant, in order to:

  1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
  2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
  3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
  4. To what information does the statute apply?

    Personal information, defined in NRS 603A.040, means a person’s first name or first initial and last name combined with any one or more of the following, when the name and data elements are not encrypted:

    1. Social security number.

    2. Driver’s license number or identification card number.

    3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.

    The statute specifically excludes from the definition of personal information “the last four digits of a social security number or publicly available information that is lawfully made available to the general public.”

    Statutory Ambiguity

    Though it defines “encryption” and “personal information,” the statute does not define the terms “secure system,” “business,” or “customer.” It is also unclear whether the statute only applies to Nevada residents?

    If your business does or plans to do business in Nevada, you should carefully review the provisions of Nevada’s new data encryption law to determine whether you are transmitting personal information in a sufficiently encrypted form.

October 23, 2007

BusyBox Sues Monsoon for Violations of GNU GPL

Erik Anderson and Rob Laney, authors of a UNIX program called BusyBox, recently filed one of the first lawsuits in the United States based on violations of the GNU General Public License, Version 2 (“GPL”). In Andersen et al. v. Monsoon Multimedia Inc., filed in the Southern District of New York, the authors claimed that a company called Monsoon infringed their copyright because Monsoon incorporated the BusyBox software into its HAVA TV product without properly making the final software product freely available to its customers.

Anderson and Laney distributed BusyBox under the GPL, a type of Copyleft license. Copyleft is a use rights system allowing free use of a creation as long as the resulting work is similarly published with free use rights. Anderson and Laney Claimed that by using BusyBox, Monsoon was required to distribute its derivative work (HAVA TV), or at least the portion of HAVA TV incorporating BusyBox, under a similar Copyleft license. The plaintiffs in the case are seeking copyright damages – money damages, disgorgement, an injunction, and attorney’s fees.

If you or your client is incorporating software licensed under the GPL into products that will be redistributed, it is important to review the GPL and understand the obligations regarding redistribution of the software.

Read about Copyleft here.

The MPAA Wants To Control Your iPod

Many iPod ® video users have been frustrated by the lack of ability to load legally purchased movies in DVD format onto their devices. Although iTunes ® users can successfully load songs from CDs into iTunes ®, those users cannot load their movies. According to the MPAA, DVD purchasers must re-purchase movies in the iTunes-friendly Quicktime .mov format.

Although conversion technology exists to convert .wmv files to .mov files, some argue that such an action would violate the Digital Millennium Copyright Act (DMCA). DVDs, unlike most music compact discs, contain encryption technology to prevent buyers from copying the movie. The DMCA provides that “[n]o person shall circumvent a technological measure that effectively controls access to a work….” 17 U.S.C. 1201(a). Ripping a DVD and converting it to another format is arguably a violation of this DMCA provision.

Boston-based Load ‘N Go, is being sued by the MPAA for copyright infringement and DMCA violations. Load ‘N Go sells software that allows users to rip DVDs they own and upload them to their iPods. They will even sell an iPod pre-loaded with your DVDs. (News story here.)

These DMCA provisions and the methods the market uses to employ them struck two legislators as counter-intuitive. It does not seem logical that users can copy compact disks but not DVDs. Click here to read our blog post on a proposed amendment to the DMCA called the Freedom And Innovation Revitalizing U.S. Entrepreneurship Act of 2007 (FAIR USE Act) that seeks to remedy some of the less consumer-friendly provisions of the DMCA.

October 5, 2007

Web Site Hacking Suit Fails

Judge Robert F. Kelly of the Eastern District of Pennsylvania ruled that viewing archived web pages, even pages that the owner intended to keep private, does not constitute copyright infringement or “hacking.” In Healthcare Advocates Inc. v. Harding, Earley, Follmer & Frailey et al., 2007 WL 2085358 (E.D. Pa. July 20, 2007), the plaintiff unsuccessfully alleged copyright infringement, violations of the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act, conversion and trespass to chattels.

Law firm Harding, Earley, Follmer & Frailey LLP used a website search engine called the Wayback Machine to locate and print archived web pages central to a copyright matter it was handling for a client. An employee of the opposing party in the underlying case inserted a special line of code in the web pages’ “robots.txt” file to prevent the pages from being archived. Despite this extra code, Harding Early was nonetheless able to view some of the web pages.

The court ruled that although Healthcare Advocates satisfied the test for copyright infringement, Harding’s access constituted a fair use under the Copyright Act because Harding was not planning to resell the material or use it to undermine the web site owner’s business.

The judge also granted summary judgment against the plaintiff on its DMCA claim because the evidence did not show Harding used any improper “hacking” process to view the web pages. A technical server error caused the Wayback Machine to inadvertently reveal the files. There was no circumvention of a technological measure, which is an element of a DMCA claim. 17 U.S.C. § 1201(a)(3)(A). The plaintiff’s own expert agreed that Harding did not “hack” the web pages. Finally, the court ruled in favor of Harding on the Computer Fraud and Abuse Act claim, because Healthcare Advocates did not show the requisite minimum $5,000 loss.

If your business has been accused of copyright infringement, experienced counsel can advise you regarding whether there are any affirmative defenses that you can raise that may allow you to have the claims dismissed in a pretrial motion.

The Merger Doctrine and Substantial Similarity

“What's in a name? That which we call a rose by any other name would smell as sweet.” – Romeo and Juliet by William Shakespeare.

The merger doctrine states that where an idea and its expression are inseparable, the courts will not grant copyright protection. Johnson Controls, Inc. v. Phoenix Control Systems, Inc., 886 F.2d 1173, 1175 (9th Cir. 1971). The Copyright Act does not expressly address the merger doctrine. See 17 U.S.C.A. §§ 101-914 (1976). Like the scenes à faire doctrine, the merger doctrine is a judicial creation of law and equity.

The most noted merger doctrine case is that of Herbert Rosenthal Jewelry Corp. v. Kalpakian, 446 F.2d 738 (9th Cir. 1971). In this case, the plaintiff brought a copyright infringement claim alleging that another jeweler copied the plaintiff’s design of a jewel-encrusted pin in the shape of a bee. Id. The court noted that there were only a limited number of ways in which a jeweler could create a bee shaped pin. Id. at 741. The 9th Circuit Court held, “the ‘idea’ of a jeweled bee pin and the ‘expression’ of the ‘idea’ were inseparable, thus copying the ‘expression’ would not be barred by copyright registration.” Id. at 742. Furthermore, the substantial similarity of the two expressions of the same idea was inevitable. Id.

There is a distinction between the merger doctrine and the scenes à faire doctrine. The merger doctrine applies when the idea and the expression are inseparable. Landsberg v. Scrabble Crossword Game Players, Inc., 736 F.2d 485 (9th Cir. 1984). The scenes à faire doctrine applies when substantial similarity of the expression is a natural result of the genre or common idea. Cain v. Universal Pictures Co., Inc., 47 F.Supp. 1013 (S.D. Cal. 1942). Despite this distinction, the courts often confuse scenes à faire doctrine with the merger doctrine. Both doctrines are considered an affirmative defense to a copyright claim.

Even when a court finds that a defendant fails to prove affirmative defense of scenes à faire or merger, a plaintiff must still show there is substantial similarity between the two works. In other words, it is the plaintiff’s ultimate burden of proof to prove that the alleged infringing work is as a matter of fact, substantially similar. In order to meet this substantially similar standard, the courts require a plaintiff to meet a two-pronged test: (1) a plaintiff must show that the general ideas are substantially similar using an extrinsic test; and (2) the plaintiff must show that the expression of those ideas are substantially similar using an intrinsic test. See Sid & Marty Krofft Television Productions, Inc. v. McDonald’s Corp., 562 F.2d 1157, 1163 (9th Cir. 1997).

The extrinsic test for similarity of ideas scrutinizes specific criteria which can be listed and analyzed. This extrinsic criteria may include “the type of artwork involved, the materials used, the subject matter, and the setting for the subject.” Id. at 1158. This question is usually decided as a matter of law. Id. at 1164. The intrinsic test, however, is determined by the trier of fact. Either a judge or a jury decides whether the two competing works are substantially similar enough in the expression of the idea in order to constitute infringement. The intrinsic test applies using the ordinary reasonable person standard. Id.

However, where the court recognizes that the affirmative defense of scenes à faire or merger doctrine applies, the court is in essence making a determination as to the substantial similarity of the works. The court recognizes that even though the works may be substantially similar, the scenes à faire doctrine or the merger doctrine preclude recover for infringement.

Data Destruction Laws

Many states have laws regulating how a holder of data must dispose of personal information. Such laws protect data if the holder decides it no longer wants to maintain that data.

There are generally two types of data destruction laws: those that specifically enumerate how the data must be destroyed and those that mandate the use of a disposal system that meets a reasonableness standard. Some states include both types, though most choose only one. States that fall into the first category typically use some variation of the following regulation: “Businesses must take all reasonable steps to destroy records by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable.” Note that the statute defines how the records must be destroyed and what the final outcome of the process must yield. States that have passed this type of law include:

  • Arkansas
  • California
  • Georgia
  • Indiana
  • Kansas
  • Massachusetts
  • Michigan
  • Montana
  • Nevada
  • New Jersey
  • New York
  • Oregon
  • Rhode Island
  • Texas
  • Vermont

The second type of data destruction law provides that: “businesses shall maintain reasonable security procedures and practices appropriate to the nature of the information to protect from unauthorized access, destruction, use, modification, or disclosure.” States that adopted this form of a records destruction law are:

  • Arkansas
  • Colorado
  • Illinois*
  • Maryland
  • Nevada
  • North Carolina
  • Oregon
  • Utah
  • Washington

If your business operates in one or more of the above states, you should ensure that you are properly destroying any unneeded data. Improper destruction of records could lead to liability, unnecessary expense, and wasted time. More and more states are adopting and enforcing these laws you do not want to be caught unaware.

* Applies only to state agencies.

September 26, 2007

User Privacy is Not Guaranteed as a Matter of Law Ceases United States Operation After Court Orders Company to Turn Over User Information

"You have zero privacy anyway… Get over it." - Scott McNealy., the BitTorrent tracking site facing a copyright lawsuit from the motion picture industry, is shutting down access to users in the United States, the company said in a statement late Sunday night. TorrentSpy’s ban on U.S. residents comes as a United States District court is expected to rule on whether TorrentSpy must turn over its login user information to the Motion Picture Association of America (the “MPAA”). The MPAA filed a civil complaint against the company last year accusing TorrentSpy of violating copyright law.

Officially, TorrentSpy explained that its decision to stop accepting U.S. visitors was not compelled by any court, but rather from the uncertain legal climate in the United States regarding user privacy and the apparent conflict between the privacy laws in the United States versus the stricter standards of the European Union. However, TorrentSpy also noted that because its servers are located in the Netherlands, its Web Site will remain operational and accessible to users outside of the United States. The MPAA declined to comment on TorrentSpy's decision.

According to the MPAA, TorrentSpy is a search engine that helps users find unauthorized copies of copyrighted videos. TorrentSpy unsuccessfully argued to Judge Chooljian that the company is legitimately protected under the Digital Millennium Copyright Act. The DMCA provides safe harbor for Internet service providers and does not hold them responsible for unlawful acts committed by their users. TorrentSpy’s attorney, Ira Rothken said that the Court’s pending decision will not affect TorrentSpy’s appeal of Magistrate Judge Chooljian’s recent decision to produce user information from the RAM on the company's computers. In an interview with CNET, Mr. Rothken warned, "This is a wake-up call to citizens and Internet users that their privacy isn't protected as well as they might have thought. Google, Yahoo and other search engines should be very concerned. One day these attacks on privacy will likely affect them."

The immediate concern for TorrentSpy is that if it is forced to disclose its login user data, some of TorrentSpy’s end users may be targeted by the MPAA as well. Other businesses may consider rewriting their data privacy policies to include a provision that the business cannot be held responsible for disclosing a customer’s private information in response to a court order.

Texas Lawsuit Challenges Attribution Licenses

An invasion of privacy lawsuit filed last week in a Dallas County District Court is challenging a popular internet web site’s license policies. In April 2007, minor Alison Chang’s youth counselor snapped a photograph of Alison and posted it on Flickr, a Yahoo photo-sharing web site. Within several months, Alison’s photo was posted around the world as part of Virgin Mobile’s “Are you with us or what” campaign. Chang and the photographer sued Virgin and others for invasion of privacy, libel, and breach of contract.

One of the central arguments in the complaint is that the subject of a photograph does not lose his or her right to privacy, merely because the photographer posted the photograph on a photo-sharing web site. The plaintiffs in the matter claim that even though the photographer granted commercial users the right to download Chang’s photo, that those same users were also required to get Chang’s permission to use her likeness in an advertising campaign.

The case raises interesting issues related to license grants juxtaposed against an individual’s privacy rights. It will be interesting to see what limitations, if any, the court imposes on use of photos posted on photo-sharing sites. If your business is facing a claim that it improperly used copyrighted materials even though it had a license to do so, you should contact experienced counsel to discuss your legal rights.

Hollywood Embellishment v. History: The Affirmative Defense of Scenes à Faire Regarding Historical Events.

“Freedom is not given. It is our right at birth. But then there are moments in History where it must be taken.” – President John Quincy Adams from the movie Amistad, DreamWorks SKG Studios.

In 1997, author Barbara Chase-Riboud filed a $10 million lawsuit and injunction against director Steven Spielberg and his Hollywood production company, DreamWorks SKG (“DreamWorks”), for copyright infringement. See Chase-Riboud v. Dreamworks Inc., 987 F.Supp. 1222 (C.D. Cal. 1997). The film, Amistad, is based upon a historical event. In 1839, Singe-Pieh staged a slave rebellion on board the Spanish slave ship, La Amistad. The ship was eventually intercepted by the United States Navy and towed the ship to New Haven, Connecticut, where the slaves stood trial. President John Quincy Adams argued on behalf of the salves before the United States Supreme Court.

Steven Spielberg claims his movie was based upon the nonfiction book, “Black Mutiny” by William Owens, to which Debbie Allen bought the rights. The screen play was written by David Franzoi and Academy Award winner Steve Zaillan. Ms. Chase-Riboud claims that the movie was based upon her novel, “Echo of the Lions” published by William Morrow in 1989. Chase-Riboud further claims the film contains far too many similarities to her novel which she previously submitted to Spielberg’s Amblin Entertainment. Defendant DreamWorks argued that the suit was without merit because the film was based upon historical fact and is therefore not subject to copyright protection.

The issue of copyright protection for creative works based upon history is becoming a concern for the motion picture industry. This combination of history and Hollywood embellishment is commonly referred to as “historical fiction”. For the purpose of this discussion, historical fiction is defined as an original creative work based upon historical fact. At what point does the writer create a protectable expression from historical fact? Asked another way, “At what point does copyright law protect the expression of an idea without allowing monopolistic ownership of the factual historical event itself?” This is not intended to be an exhaustive analysis of substantial similarity concerning competing works, but rather as a focused discussion on the judicial application of the doctrine of scenes à faire.

The United States Constitution expressly grants Congress the power to grant copyright protection “to promote the progress of science and useful arts.” “The Congress shall have power… to promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the executive Right to their respective Writings and Discoveries.” The primary purpose of copyright law is to stimulate creativity for the public good. However, copyright law does not protect an idea, but rather the original expression of the idea. This doctrine appeases two opposing rationales: (1) it compensates individuals for their creative labor; (2) yet provides society the benefit of subsequent individual interpretation regarding the same subject matter.

The scenes à faire doctrine states that if the copyright holder’s expression is a scene that naturally results from a common idea, then subsequent expressions of the same scene does not constitute copyright infringement. The scenes à faire doctrine is a judicial creation of law and equity. This doctrine reasons that there are some scenes that must be included in a given context because identical situations call for identical scenes. Additionally, there are certain stock scenes, or clichés, which naturally develop from a genre of a given idea.

American jurisprudence was introduced to the doctrine of scenes à faire in the landmark case, Cain v. Universal Pictures Co., Inc., 47 F.Supp. 1013 (S.D. Cal. 1942). In Cain, the author filed a copyright infringement action claiming that the motion picture, “When Tomorrow Comes”, copied a church sequence described in his novel “Serenade.” The church sequence involved two lovers who spent the night in a choir loft in order to seek shelter from a storm. The plaintiff cited similar events such as playing the piano, prayer and hunger. The United States District Court for the Southern District of California held that similarities and incidental details which are necessary to the environment or setting of an action are not material of which copyrightable originality conflicts. Therefore, although scenes of a creative work may be substantially similar, there are some stock scenes that do not receive copyright protection. For example, a western movie will almost always involve cowboys wearing a six shooter, riding a horse and walking into a town saloon. Similarly, the western saloon will almost always have swinging doors, a bar with a large mirror and whiskey. “All of those elements are necessary to telling any story set in western times basically. As so the court filters out those scenes à faire, things that are required to the telling of that story.”

“Plots and themes are what ideas are made of, but dialogue, mood, pace and sequence are the very essence of expression.” Jason v. Fonda, 698 F.2d 966 (9th Cir. 1982). Hence it is this essence of expression that may receive copyright protection. However, historical facts may not receive copyright protection because they are not the original works of the author. The doctrine of scenes à faire ensures that history belongs to the public domain. “The distinction is one between creation and discovery: the first person to find and report a particular fact has not created the fact; he or she has merely discovered its existence.” Feist Publications, Inc. v. Rural Telephone Service, 499 U.S. 340, 111 S.CT. 1282, 113 L.Ed.2d 358 (1991).

In the case of Amistad, Federal District Judge Collins defined scenes à faire as “incidents, characters or setting which are as a practical matter indispensable, or at least standard, in the treatment of a given topic.” Chase-Riboud v. Dreamworks Inc., 987 F.Supp. 1222, 1227 C.D. Cal. 1997). Federal District Judge Collins further noted in his opinion that, “scenes à faire and factual material must be filtered out of any analysis of substantial similarity.” The Court ultimately found DreamWorks scenes à faire affirmative defense unpersuasive because DreamWorks used the same characters as Ms. Chase-Riboud did in her novel that were not “’indispensable, or at least standard, in the treatment of a given topic.’” Id. at 1227. But the Court went on to conclude that the characters at issue were not “especially distinctive” to warrant copyright protection, either. Id. at 1228. Ms. Chase-Riboud’s Motion for Preliminary Injunction was denied for her failure to prove plaintiff’s burden of substantial similarity.

“The scope of copyright protection in historical accounts is narrow indeed, embracing no more than the author’s original expression of particular facts and theories already in the public domain.” Id. at 1226 (citing Hoehling v. Universal City Studios, Inc., 618 F.2d 972, 974 (2d Cir. 1980). The doctrine of scenes à faire leads us to substantiate the proverbial maxim, “there is no such thing as an original idea”… but there is such a thing as an original thought.

September 11, 2007

Massachusetts Enacts Data Privacy Law

Massachusetts recently became the 39th state to enact a data breach notification law. The law was approved by the governor on August 2, 2007.

There is a question regarding when the law becomes effective. Although many legal reviewers have indicated that the law becomes effective on February 3, 2008, the deferred effective date applies only to section 17, the provision that applies to the destruction of records. There is no specifically enumerated effective date for section 16, the section containing the requirements related to breach notification. Because there is no effective date for section 16, the default effective date for the section is October 31, 2007.

The law applies to any person, corporation, association, partnership, other legal entity or governmental organization that maintains or stores data that includes personal information about a Massachusetts resident. Personal information is defined as a resident’s first and last name, or first initial and last name in combination with any one or more of the following:

  • Social Security number;

  • driver's license number or state-issued identification card number; or

  • financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

A security breach is defined as the “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud.”

A person or agency that only stored or maintained the data must give notice to the owner or licensor of the data as soon as practicable and without unreasonable delay when the person or agency knows or has reason to know about the breach, or when the person or agency knows or has reason to know that the data was used by an unauthorized person or for an unauthorized purpose. The person or agency must also cooperate fully with the owner or licensor except that the agency or person does not have to divulge confidential business information or trade secrets.

A person or agency that owned or licensed the data must provide notice to the attorney general, the director of consumer affairs, and the resident. The director of consumer affairs must identify any relevant credit reporting or state agencies and forward to the notifying person or agency the names of the credit reporting and state agency. The person or agency must then provide notice to the consumer credit or state agency on behalf of the affected individuals.

The Massachusetts law contains similar exclusions that allow notice to be delayed if a law enforcement agency determines that complying with the notice requirements will impede a criminal investigation. The law enforcement agency must notify the attorney general in writing for this exemption to apply.

The Massachusetts attorney general may bring an action against a person or otherwise to remedy violations of this law, and for other relief that may be appropriate.

Because there are so many variants in the state breach notification laws, companies that have security incidents should work with experienced counsel to carefully review the data breach laws in the relevant states to determine whether notification is required under the circumstances.

Canadian PIPEDA Jurisdictional Ruling Unclear

I recently posted a blog regarding the Canadian PIPEDA. A decision from a Canadian Federal court discussing PIPEDA and its jurisdiction was recently brought to my attention and deserves mention here. Lawson v. Accusearch Inc., 2007 FC 125 (CanLII).

Philippa Lawson is a Canadian citizen and executive director of the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa’s Faculty of Law. Ms. Lawson filed a complaint with the Canadian Privacy Commissioner regarding an American company that allegedly violated the Canadian PIPEDA. She alleged that although based in the United States, violated PIPEDA in a number of respects.

After a preliminary investigation, the Privacy Commissioner determined that PIPEDA did not grant her jurisdiction over, or its parent company Accusearch, Inc. Ms. Lawson thereafter reformulated her complaint to account for this denial of jurisdiction. The Canadian Federal court analyzed PIPEDA to determine whether Parliament vested the Privacy Commissioner with “authority to investigate complaints levied against foreign organizations which collect, use and sell the personal information of Canadians.”

Although the court agreed with the Commissioner that “PIPEDA gives no indication that Parliament intended to legislate extraterritorially,” the court ultimately concluded that the “Commissioner does not lose her power to investigate because she can neither subpoena the organization nor enter its premises in Wyoming.” The court did not provide any guidance as to the nature or scope of the Commissioner’s investigatory authority.

Therefore, it is not clear to what extent a company with no physical location and no assets in Canada could be successfully investigated by the Canadian Office of the Privacy Commissioner.

You can read the full opinion here.

August 28, 2007

Court to YouTube: “If You Want Safe Harbor Protection, Control Your Content.”

“Only a moron would buy YouTube.” - Mark Cuban

Internet and media darling, YouTube, Inc. (“YouTube”), has received a copyright wakeup call of sorts when United States Federal District Judge Florence-Marie Cooper of the Central District of California denied its Partial Motion for Summary Judgment against Plaintiff Robert Tur. Robert Tur is a helicopter pilot and photojournalist who does business under the name Los Angeles news Service. Tur owns the copyrights to and sells a variety of news video to television stations, cable channels, motion pictures and other media outlets. Tur is best known for his award winning coverage of the 1992 Los Angeles riots and the beating of truck driver Reginald Denny. Tur sued YouTube for copyright infringement under 17 U.S.C. § 501 and unfair competition claiming that the streaming video website posted and distributed his video coverage without his consent.

YouTube, which is owned by Google, Inc., raised the affirmative defense of Safe Harbor Protection under the Digital Millennium Copyright Act (the “DMCA”), 17 U.S.C. § 512(c), and sought a determination by the Court regarding the same. Specifically the DMCA provides four distinct safe harbors, but in order pass judicial muster, the Defendant must first meet the Conditions for Eligibility as set out in Section 512(i). Section 512(i) states:

The limitations of liability established by this section shall apply to the service provider only if the service provider:
(A) has adopted and reasonably implemented, and informs subscribers and account holders of the service provider’s system or network of, a policy that provides for the termination in appropriate circumstances of subscribers and account holders of the service provider’s system or network who are repeat infringers; and
(B) accommodates and does not interfere with standard technical issues.

Next, YouTube must also meet the requirements of Section 512(c)(1). Section 512(c)(1) states:

A service provider shall not be liable for monetary relief, or, except as provided in subsection (j), for injunctive or other equitable relief, for infringement of copyright by reason of the storage and direction of a user of material that resides on a system or network controlled or operated by or for the service provider, if the service provider -
(A) (i) does not have actual knowledge that the material or an activity using the material on the system or network is infringing;
(ii) in the absence of such actual knowledge, is not aware of facts or circumstances from which infringing activity is apparent; or
(iii) upon obtaining such knowledge or awareness, acts expeditiously to remove, or disable access to, the material;
(B) does not receive a financial benefit directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity; and
(C) upon notification of claimed infringement as described in paragraph (3), responds expeditiously to remove, or disable access to, the material that is claimed to be infringing or to be the subject of infringing activity.

YouTube has long alleged that it does not “directly” receive financial benefit from the videos posted on its website. However, YouTube also argued to the California Court that it does not have the right or ability to control the infringing activity. Judge Cooper rightfully noted in her opinion, that “As the statute makes clear, a provider’s receipt of a financial benefit is only implicated where the provider also ‘has the right and ability to control such activity.’” 2007 WL 1893635 *3 (C.D. Cal June 20, 2007). Judge Cooper continued, “As such, if YouTube does not have the right and ability to control the alleged infringing activity, the Court need not engage in the ‘financial benefit analysis.” Id.

The Central District of California has long held that the “right and ability to control” infringing activity must be something more than just the ability of a service provider to remove or block access to materials posted on its website or stored in its system, it requires an an ability to limit or filter copyrighted material. Therefore, YouTube’s own admission that it did not have the ability to control the alleged infringing activity persuaded the Court that YouTube did not satisfy the Safe Harbor requirements under Section 512(1)(B) and therefore denied its Partial Motion for Summary Judgment as a matter of law.

Businesses, Know Your Facts on FACTA: The Fair and Accurate Credit Transactions Act

Businesses take note: Customers are becoming aware of their data privacy rights and are willing to sue to protect their rights. Recently, a Pennsylvania woman brought a class action lawsuit against Lifetime Brands, Inc. better known to you and me as the Cadillac of sewing machines called Pfaltzgraff. Ehrheart v. Lifetimebrands, Inc. 2007 WL 2141979 (E.D.Pa. July 20, 2007). The complaint, filed in the Federal Eastern District of Pennsylvania, alleges that Pfaltzgraff violated the Fair and Accurate Transaction Act of 2003, which requires retailers to conceal or at least not disclose credit card information on purchase receipts given to customers. Specifically, Section 605(c)(g) expressly requires that “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. § 1681(c)(g)(1). The Plaintiff in this case alleges that Pfaltzgraff gave her a receipt that included the consumer’s full credit card number and even printed the expiration date of the credit card.

Defendant Pfaltzgraff filed a traditional motion for summary judgment stating that Plaintiff lacked standing because the complaint failed to assert that Defendant acted willfully and that Plaintiff was not the victim of identity theft as a result of Defendant’s wrongful conduct. Defendant also argued that it was entitled to summary judgment because Plaintiff failed to allege that she suffered injury in fact. The Federal District Court correctly noted, however, that FACTA does not require that a plaintiff to suffer actual monetary damages in order to bring suit under the Act. The mere fact that a business violated the Act, such as printing more than the last five digits of her credit card or debit card number and/or printed the expiration date of her card, is sufficient to allege an injury under FACTA. Consequently, the Court held that the Plaintiff may be entitled to monetary damages.

So what is the Fair and Accurate Credit Transactions Act? FACTA is an amendment to the Fair Credit Reporting Act enacted in 2003 primarily to help the American public prevent identity theft. FACTA was also meant to protect businesses from having to comply with individual state laws. In truth, FACTA bars states from enacting stronger privacy laws than the Act allows. Most consumers are not aware of FACTA, but they are aware of the immediate benefits FACTA requires. For example, FACTA is best known by consumers for giving them the right to obtain one free credit report from each of the three major credit bureaus every 12 months. However, businesses need to be aware of FACTA because as noted in the Ehrheart decision, mere violation of the Act may give a consumer the right to file suit and seek monetary damages. Section 616, et. seq. outlines the civil liability for willful noncompliance and Section 617, et. seq., summarizes a business’ civil liability for negligent noncompliance.

Finally, business should take note that FACTA requires businesses and individuals to take suitable measures to dispose of an individual’s personal sensitive information derived from consumer reports. Therefore, businesses that use consumer reports for business purposes are subject to the FACTA Disposal Rule. Please note that the Disposal Rule applies to consumer reports and the information derived from consumer reports. The Federal Trade Commission considers consumer reports to include “information obtained from a consumer reporting company that is used, or expected to be used, in establishing a consumer’s eligibility for credit, employment, or insurance, among other purposes.” The Disposal Rule not only applies to credit reports, but also includes credit scores, reports businesses obtain regarding employment background, check writing history, insurance claims, residential or tenant history or medical history. Therefore, the Disposal Rule is broad in nature and businesses should be aware whether FACTA applies to the internal operations as well as the external business itself.

Minnesota Passes PCI-Inspired Data Protection Law

The Minnesota Plastic Card Security Act (“PCSA”) became effective August 1st, 2007. Designed to offer greater protection to consumers’ personal data, the PCSA is a controversial state law that applies broadly to businesses accepting credit cards in Minnesota.

The PCSA applies to “any person or entity conducting business in Minnesota that accepts an access device [e.g., credit or debit card] in connection with a transaction.” Size of the transacting entity is immaterial. Additionally, the law applies equally to persons and formal business entities accepting credit or debit cards.

What is prohibited activity under PSCA?

The transacting entity must not retain the consumer’s PIN, card security code, or the full contents of any track of magnetic stripe data subsequent to the authorization of the transaction. In the case of a PIN debit transaction, the information may not be kept for more than 48 hours after the transaction has been authorized.

What is the liability?

The breaching person or entity must reimburse the financial institution that issued an access devices (payment cards) affected by the breach for the costs of any reasonable actions undertaken by the financial institution resulting from the breach in order to protect its cardholder’s information or to continue to provide services to cardholders. Examples of such costs include, but are not limited to:

  • cancellation or reissuance of any affected access device
  • closure of any affected deposit, transaction, share draft, or other accounts, or action to stop payment or block transactions
  • any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach
  • notification of cardholders affected by the breach
  • damages paid by the financial institution to cardholders injured by a breach

If your business accepts credit or debit cards and conducts business in Minnesota, you should carefully review the requirements of the PCSA to determine whether you are compliant.

August 20, 2007

Transactional Considerations Related to Privacy

Many companies are struggling with the issue of vendor management and outsourcing. While outsourcing technology and account services can be valuable in industries like banking and healthcare, the original service provider has the responsibility to ensure that the data is protected. As the Federal Financial Institutions Examination Council (“FFIEC”) indicated, “responsibility for managing the risks associated with those products or activities cannot be outsourced.”
The FFIEC suggested that organizations conduct periodic risk assessments that consider:

  • Strategic goals, objectives, and business needs of the financial institution.

  • Ability to evaluate and oversee outsourcing relationships.

  • Importance and criticality of the services to the financial institution.

  • Defined requirements for the outsourced activity.

  • Necessary controls and reporting processes.

  • Contractual obligations and requirements for the service provider.

  • Contingency plans, including availability of alternative service providers, costs and resources required to switch service providers.

  • Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic objectives and service provider performance.

  • Regulatory requirements and guidance for the business lines affected and technologies used.

Additionally, organizations should conduct due diligence before deciding on a service provider to determine whether the service provider has sufficient technical and industry expertise, whether the provider has adequate controls, and the financial condition of the service provider. Finally, an organization’s contracts with its service providers should clearly articulate the scope of service, the required standards for performance, the standards for security and confidentiality, the required controls, audit provisions, contingency plans, prohibitions on sub-contracting, costs, timeliness and method of notice in the event of an incident affecting data privacy, and indemnification.

Will a Private Cause of Action Under the GLBA Survive Judicial Scrutiny?

“It is the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” - 15 U.S.C.A. § 6801.

The Gramm-Leach-Bliley Act (the “GLBA”), also known as the Financial Services Modernization Act of 1999, effectively repealed the Banking Act of 1933 and amended the Bank Holding Company Act of 1956. The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic personally identifiable information. The GLBA also prohibits individuals and companies from obtaining consumer information using false representations.

The GLBA separates individual privacy protection into three principal categories: (1) the Financial Privacy Rule; (2) the Safeguards Rule; and (3) Pretexting Provisions. The Financial Privacy Rule and the Safeguards Rule apply to “financial institutions,” which include banks, securities firms, insurance companies and other companies providing financial products and services to consumers. The Pretexting Provisions apply to individuals and companies, who obtain or attempt to obtain personal financial information under false pretenses.

The GLBA charged the Federal Trade Commission and other government agencies that regulate financial institutions, with the duty to enforce, carry out, and implement the GLBA. However, the GLBA does not provide for a private cause of action against those financial institutions that violate the GLBA.

In January, 2007 TJX Companies, Inc. (“TJX”) announced that its computer network for T.J. Maxx, Marshalls, HomeGoods, Bob’s Stores and A.J Wright was breached and that customer information such as drivers’ license numbers, checking accounts and credit and debit card information was compromised. Shortly thereafter, a civil class action lawsuit was filed by AmeriFirst Bank in the United States District Court for the District of Massachusetts against TJX Companies, Inc. for Negligence, Breach of Contract and Negligence Per Se. Interestingly, the Plaintiffs based their claim of negligence per se upon TJX’s violation of the GLBA. Specifically, the lawsuit alleges that TJX failed to comply with 15 U.S.C.A. §§ 6801(a) - (b) and 6809. The lawsuit continued to allege under the negligence per se cause of action that Fifth Third Bank, a co-Defendant in the lawsuit, failed to comply with the GLBA requirements by “not providing for adequate safeguards in its handling of nonpublic personal information.”

As noted above, the GLBA does not afford a private cause of action. However, AmeriFirst Bank’s lawsuit will likely test the extent that GLBA can be used as the basis of a negligence per se cause of action. If AmeriFirst Bank’s negligence per se theory survives judicial scrutiny, other similar cases based on data breach may follow.

International Privacy: The Canadian PIPEDA

The Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) was designed to protect personal information. The provisions of PIPEDA allow organizations to collect, use, or disclose personal information “only for purposes that a reasonable person would consider are appropriate in the circumstances.” Organizations are prohibited from collecting personal information without the data owner’s consent unless:

  • the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;

  • it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;

  • the collection is solely for journalistic, artistic or literary purposes;

  • the information is publicly available and is specified by the regulations; or

  • the collection is made for the purpose of making a disclosure required by law.

It does not appear that PIPEDA extends to companies located in the United States, even if the companies collect information about Canadian citizens. In 2004, the Canadian Internet Policy and Public Interest Clinic (“CIPPIC”) filed formal complaints against two U.S.-based companies for routinely collecting, using, and disclosing information about Canadians for unlimited purposes without the knowledge and consent of the data owners. The Office of the Privacy Commissioner responded that the jurisdiction of the PIPEDA does not extend to organizations that do not have a physical location in Canada.

Texas Attorney General Abbott Declares War on Identity Theft… Again.

“Texans expect their personal information to remain confidential. The Office of the Attorney General will take all necessary steps to protect consumers from identity thieves.”
– Texas Attorney General Greg Abbott

Last week the Texas Attorney General filed suit against yet another company that disposed of its customers’ confidential personally identifiable information in a publicly accessible trash dumpster. Minnesota-based Lifetime Fitness has been accused of “systematically exposing its customers to identity theft.”

The documents were discovered by a Dallas resident who was looking for empty boxes in trash dumpsters behind local businesses. Instead, the Dallasite found a plastic bag full of credit card receipts with corresponding driver’s license numbers, as well as complete credit card numbers. The concerned citizen reported the incident to the Dallas Police Department, who in turn visited the store manager to investigate the problem. The Lifetime Fitness store manager assured the Dallas Police Department and the concerned citizen that he would shred its customers’ confidential information and dispose of the material properly. The next day, the concerned citizen visited the same dumpster and found that the documents were not completely shredded properly and that he still could read confidential personally identifiable information. Upset that the Lifetime Fitness store manager had not kept his word, the concerned citizen then contacted a Dallas television station where the story aired that night.

According to the lawsuit filed by the Office of the Texas Attorney General, “Lifetime Fitness violated the law by repeatedly failing to protect customer records that contain sensitive personal information, including Social Security and credit card account numbers.” Even worse, the documents included the names and birth dates of children. Lifetime Fitness operates a short term child care as a service to its members. Lifetime Fitness is accused of violating the Texas Deceptive Trade Practices Act and the 2005 Identity Theft Enforcement and Protection Act. The Attorney General alleged that Lifetime Fitness violated the Texas Deceptive Trade Practices Act because it violated its own web-based Privacy Statement. According to the lawsuit, Lifetime Fitness misrepresented to its customers that “all of their employees who have access to personal data are obliged to respect the confidentiality of consumers’ personal information.” The Texas ITEP Act mandates that businesses have a legal duty to protect and safeguard sensitive personal information. Finally, the Texas Attorney General accused Lifetime Fitness of violating Chapter 35 of the Texas Business Commerce & Commercial Code which requires business to develop document retention and disposal procedures for their clients’ personal information.

If Lifetime Fitness is liable under Chapter 35 of the Texas Business Commerce & Commercial Code, a court could impose a civil penalty of up to $500 for each record. Section 48.201 mandates a civil penalty of at least $2,000 and up to $50,000 against each Defendant. Under the DTPA, civil penalties against each Defendant could reach up to $20,000 for each violation. If the customers whose nonpublic personal information was unlawfully dumped can be identified, those customers could be awarded damages of not less than the amount the consumer originally paid Lifetime Fitness. Finally, Lifetime Fitness could be liable for the State’s reasonable attorney’s fees, investigatory costs and court costs.

July 31, 2007

International Privacy Regulations and Safe Harbor Provisions

To encourage the free movement of personal data without diminishing protection of that data, fifteen member states of the European Union were required to enact national legislation that complied with Directive 95/46/EC (the “Data Protection Directive”). Data collectors must follow the following principles when collecting or processing data:

  • Data must be processed fairly and lawfully.
  • Data must be collected for explicit and legitimate purposes and used accordingly.
  • Data must be relevant and not excessive in relation to the purpose for which it is processed.
  • Data must be accurate and where necessary, kept up to date.
  • Data controllers are required to provide reasonable measures for data subjects to rectify, erase or block incorrect data about them.
  • Data that identifies individuals must not be kept longer than necessary.
  • In principle, all data controllers must notify supervisory authorities when they process data. Member States may provide for simplification or exemption from notification for specific types of processing which do not entail particular risks. Exception and simplification can also be granted when, in conformity with national law, an independent officer in charge of data protection has been appointed by the controller.

Because the United States’ regulations for privacy are not as stringent as those in the European Union, businesses in the United States that want to collect or process data belonging to an individual in one of the fifteen member states must qualify for safe harbor registration. To qualify for the safe harbor, an organization can (1) join a self-regulatory privacy program that adheres to the safe harbor's requirements; or (2) develop its own self regulatory privacy policy that conforms to the safe harbor. The safe harbor provisions include:

  • Notice

  • Choice

  • Onward Transfer (Transfers to Third Parties)

  • Access

  • Security

  • Data integrity

  • Enforcement

If an organization is willing to certify that it meets the qualifications of the safe harbor, it can collect and process data from European Citizens. Companies that are interested in joining the safe harbor can review the checklist located at for more information. The Department of Commerce maintains a list of all organizations that file self-certification letters and make both the list and the self-certification letters publicly available.

July 24, 2007

The HIPAA Privacy Rule

The U.S. Department of Health and Human Services (“HHS”) promulgated the privacy rule pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”), and the Office of Civil Rights (“OCR”) has responsibility for ensuring that health care providers implement and enforce the rule. The HIPAA privacy rule applies to health plans, health care clearinghouses, and health care providers. The privacy rule also requires covered entities that use contractors to protect the information using Business Associate Agreements.

What is a Covered Entity?

As discussed above, covered entities include health care providers, health care clearinghouses, and private benefit plans. It may be difficult to determine whether HIPAA applies in a particular situation. For instance, is information collected by an employer for a health-care plan subject to HIPAA? An individual or an entity is a health care provider if the person, business or agency furnishes, bills, or receives payment for health care in the normal course of business and sends any covered transactions electronically. Covered transactions include requests for payment, requests for benefit information, enrollment in health plans, payments, and remittance. A business or agency is a health care clearinghouse if it processes or facilitates the processing of health information from one format to another and if the business or agency performs this function for another legal entity. A private benefit plan can be a health plan covered by HIPAA if:

  • It is a group plan that has more than 50 participants or a group plan with fewer than 50 participants that is not self-administered;

  • It is a health insurance issuer;

  • It is an issuer of a Medicare supplemental policy;

  • It is an HMO;

  • It is a multi-employer welfare benefit plan;

  • It is an issuer of long-term care policies that provides only nursing home fixed-indemnity policies; or

  • It is a plan that provides benefits other than excepted benefits.

Several government-funded programs can also be covered health plans, including high-risk pools, and certain HMOs. If the principal purpose of the program is something other than providing health care services or paying the cost of health care (e.g., operating a prison or running a scholarship program), the program is not a covered health plan.

What are the Basic HIPAA Requirements?

Pursuant to the rule, a covered entity may use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities and (6) Limited Data Set for the purposes of research, public health or health care operations. Entities governed by HIPAA can rely on professional ethics and their best judgment to determine which disclosures to make. Covered entities cannot use or disclose protected health information unless the use or disclosure is specifically articulated by the HIPAA privacy rule.

Data Privacy and Breach Notification: It's Crunch Time for Congress

“Learning a lesson from Hurricane Katrina: "One of the most important lessons, is that by reducing vulnerability to high-impact/low-probability disruptions, a company will reduce its vulnerability…”
– Professor Yossi Sheffi, Massachusetts Institute of Technology

On May 22, 2007 President Bush issued a White House directive ordering federal agencies to develop and implement a breach notification policy within 120 days. With September 22nd right around the corner, federal agencies are frantically trying to comply with the White House directive and are finding out that it’s not as easy as what it may sound. It seems that drafting a security and breach notification policy is not the main problem. The Federal Government is of course, very adept at drafting wordy documents that satisfy Congressional mandates, but the main challenge for federal agencies is actually executing.

The fact that the U.S. Federal Government has a problem implementing and executing should come as no surprise to anyone who has been on this planet for more than a week. However, this is also the main challenge for most private companies as well. When it comes to private companies implementing and executing a program, in this case a privacy policy and breach notification plan, the challenge is almost universal: M-O-N-E-Y. Scott & Scott’s clients commonly discuss the balance between drafting data security and privacy policies as well as a breach notification plan and the practical challenge of putting words into action.

Just like most company emergencies, the matter does not receive the necessary budgetary allocation until it has become… a emergency. You probably know of several empirical examples within your company of such post-catastrophe funding, big and small. In other words, it’s common for a company to use the ostrich approach and ignore a problem hoping that it will just go away. However, when there is a data breach, then and only then will the decision makers throw money at the problem. Unfortunately, the money is in essence thrown into a fan and it gets blown everywhere. The limited resources are spread across all departments that hold out their hand, but the money does not necessarily get spent on the areas that will get a maximum return on investment. The attorneys and technical advisors at Scott & Scott are sensitive to this budgetary balance and advise their clients on the best way to get the most bang for their buck and receive effective legal and technical protection.

Turning the focus back on Capitol Hill, the White House’s directive applies to all Federal information and information systems. In other words, the directive applies to every Federal Agency with a computer. Senator Arlen Spector (R-PA) and Senator Patrick Leahy (D-VT) along with the help of Senator Dianne Feinstein (D-CA) are still trying to push their co-authored Personal Data Privacy and Security Act through Congress. This bill goes beyond the White House’s directive and puts into law rules and regulations Federal Agencies must follow regarding data privacy and security. Consumer groups and privacy advocates criticize the bill’s numerous exceptions instituted by Republicans, but both parties agree that a bill of this nature is long overdue. Industry titans such as Microsoft, Sun, and Hewlett-Packard recognize the inevitable legislation and have become a part of the regulatory process as well, vis-à-vis their lobbyists of course.

Now, how can you get your company’s attention to dedicate the necessary resources to implement and execute its data privacy and security policies and breach notification plan into action? As with most potential emergencies, planning is the key to averting such incidents and planning will also save your company considerable money. Just like your car’s engine, it’s cheaper to prevent the problem than to repair it. Scott & Scott has a proven track record of developing a cost-effective data security and privacy plan uniquely suited for its client’s individual circumstance and budget. The most common mistake companies make is promise more than is legally required. Let us show you how we can save your company time and money as well as give you peace of mind.

The Privacy Act

Like other companies, governmental agencies are also required to maintain the privacy of records in their possession. The Privacy Act prohibits government agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” The Privacy Act allows disclosure without consent only in limited circumstances, including:

  • Disclosure to the Census Bureau and the Bureau of Labor Statistics;

  • Disclosure for routine uses within a U.S. government agency;

  • Disclosure when “a record which has sufficient historical or other value to warrant its continued preservation by the United States Government;”

  • Disclosure to law enforcement agencies;

  • Disclosure to aid in congressional investigations; or

  • Disclosure for other administrative purposes.

The penalties for violating the Privacy Act can be harsh. Federal courts can award reasonable attorneys’ fees, litigation costs, and damages. If a court finds that the agency acted willfully or intentionally, the court can award actual damages or the amount of $1,000.00 per person, whichever is greater.

The Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503) amended the Privacy Act to add several new provisions. These provisions add procedural requirements for agencies to follow when engaging in computer-matching activities; provide matching subjects with opportunities to receive notice and to refute adverse information before having a benefit denied or terminated; and require that agencies engaged in matching activities establish Data Protection Boards to oversee those activities.

There’s a Data Breach in the Wonderful World of Disney? Say it Ain’t so Mickey! Say it Ain’t so!

“You may not realize it when it happens, but a kick in the teeth may be the best thing in the world for you.” – Walt Disney

Disney recently reported that an employee of one of its independent contractors, Alta Resources, Inc., was caught trying to sell customer credit card information. Alta Resources processes transactions for the Disney Movie Club. Now Disney and Alta Resources are being investigated by the Secret Service. Furthermore, The Disney Club had to notify in writing its 1 million members. The customer data stolen included credit card numbers, names, addresses, telephone numbers and even e-mail addresses.

More and more data breach laws and the proposed Leahy-Spector Personal Data Privacy and Security Act seek to hold companies responsible for data breaches of their independent contractors and affiliated companies. So Disney may be on the proverbial “Captain’s” hook. Now Disney may spend hundreds of thousands of dollars investigating, managing and litigating this data breach. Disney will likely spend additional resources re-evaluating its third party contracts and investigate what steps its contractors are taking to ensure the security of nonpublic personally identifiable information. Disney has already amended and republished its data privacy and security policy.

The lesson to be learned from Disney and the recent Fidelity National Information Services breach is that insider fraud and negligence should be considered a more probable threat and potentially more dangerous than an outside hacker. Your company should have written security policies in place to reduce the risks associated with insider fraud and negligence. In an investigation, a company that experienced a data breach will have to explain whether that company implemented the security policies and whether its data privacy and security program was “appropriate” to the company’s size and complexity and is appropriate to the sensitivity of the customer information at issue. The business technology lawyers at Scott & Scott are recognized leaders in regulatory compliance, enterprise network risk, data risk and security, and related litigation. For more information contact Adam W. Vanek at

July 11, 2007

Your Board of Directors is Liable for Data Privacy and Data Security

“Today, management has no stake in the company! All together, these men sitting up here own less than three percent of the company. And where does Mr. Cromwell put his million-dollar salary? Not in Teldar stock; he owns less than one percent. You own the company. That's right, you, the stockholder. And you are all being royally screwed over by these, these bureaucrats, with their luncheons, their hunting and fishing trips, their corporate jets and golden parachutes.” – Gordon Gekko

Why does a company’s Board of Directors need to worry about data privacy? The cliché goes, “A company’s most important asset is information.” The Information Age describes a time when information was considered a limited commodity and provided a distinctive competitive advantage. Today, information is everywhere. The Information Age quietly evolved into the Knowledge Economy. The Knowledge Economy focuses on the production, management and use of information. It’s this use of information, specifically the use of an individual’s non-public personally identifiable information, which brings this new wave of legislation.

Data management and data privacy are no longer confined to the windowless basement of a company’s headquarters. Identity Theft is the crime du décinne. Every four seconds in America, another person falls victim to identity theft. This week, Fidelity National Information Services announced that an employee, one employee, sold 2.3 million consumer records containing credit card, bank account and other personal information to a data broker. The data broker, in turn, sold this information to several direct marketing firms. What was once Fidelity’s most important asset is now its most significant liability. Fidelity will not only have to answer to its consumers, but also its shareholders and the Federal Government.

According to its Web Site:

Fidelity National Information Services, Inc. (NYSE:FIS) is a leading provider of core financial institution processing, card issuer and transaction processing services, mortgage loan processing and related information products and outsourcing services to financial institutions, retailers, mortgage lenders and real estate professionals. FIS has processing and technology relationships with 31 of the top 50 global banks, including nine of the top ten. Nearly 50 percent of all U.S. residential mortgages are processed using FIS software. Headquartered in Jacksonville, Florida, FIS maintains a strong global presence, serving over 7,800 financial institutions. FIS is part of the S&P 500. FIS has also been named the #1 banking technology provider and the #2 overall technology provider in the world by American Banker and Financial Insights (FinTech 100).

It’s doubtful American Banker and Financial Insights will rank Fidelity #1 and #2 this year. Similarly, Fidelity may lose several of its 31 of 50 global banks as clients. The European Union enforces strict privacy laws and often criticizes America’s lax privacy and data breach laws. The misconduct of just one employee will likely cost Fidelity millions. Fidelity will spend real dollars investigating, managing and litigating this data breach.

A company’s Board of Directors owes a fiduciary duty, a duty of care and loyalty. This week’s data breach will require the attention of Fidelity’s Board of Directors. The Federal Government and the shareholders will likely demand a response from Fidelity’s Board of Directors. Fidelity’s Board of Directors will be asked whether a company that boasts “a strong global presence, serving over 7,800 financial institutions” implemented best practices to protect its consumers’ non-public personally identifiable information. Is your company implementing best practices? The business technology attorneys at Scott & Scott LLP are recognized thought leaders in regulatory compliance, enterprise network risk, data breach and security, and imminent litigation. For more information contact Adam W. Vanek, Scott & Scott LLP,

Drafting and Defending Privacy Policies and Incident Response Plans

Because the requirements for businesses that collect personal information about consumers can be stringent, it is critical to know which standards apply. Regardless of which regulations govern an organization, it is imperative that the organization have a comprehensive privacy policy that satisfies the requirements for the applicable industry and geographic location(s).

Every privacy policy should contain a clear and concise statement of what personal information the organization collects, whether the company discloses the information to third-parties, and if so, under what circumstances, a list of the safeguards employed to protect the information, and a discussion of any opt-out provisions required.

Your company can face potential liability your privacy policy does not reflect your actual privacy practices. Claims and remedies based on privacy policies can include:

  • Investigations by appropriate regulatory authorities.

  • Orders prohibiting further misrepresentations;

  • Orders requiring an independent, periodic analysis certifying that the company has a comprehensive information security program.

  • Claims based on negligence for failing to follow enumerated policies.

  • Civil fines.

  • Officer and director liability.

It is vital that companies use customized privacy policies prepared after carefully considering their ability to deliver on their promises. For that reason, it is not advisable to copy policies from the internet, or promise more than is legally required.

July 3, 2007

The Fair Information Practice Principles

The Fair Information Practice Principles (the “Principles”) were first enumerated by the U.S. Department of Health, Education, and Welfare in 1973. In the 30 years since the principles were formulated, they have become the basis for many privacy laws in the United States, Canada, Europe, and other parts of the world. The Principles are designed to provide a framework for the collection and use of personal information.
The original Principles consisted of the following eight guidelines:

  • Openness – Data policies should be open and clear and the entity or person controlling the data should be easily identifiable.

  • Collection Limitation - Collection of personal data should be limited and obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

  • Purpose Specification - The purpose for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

  • Use Limitation - Personal data should not be disclosed, made available or otherwise used for purposes other than those specified as described above, except with the consent of the data subject or by the authority of law.

  • Data Quality - Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, relevant and kept up-to-date.

  • Individual Participation - An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request is denied and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

  • Security Safeguards - Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

  • Accountability - A data controller should be accountable for complying with privacy measures.

  • The FTC currently articulates five core Principles: notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress. Many of the current federal regulations related to privacy contain these five Principles.

Bragg v. Linden Research, Inc.: Where Second Life becomes Reality

“The Matrix isn't real.” – Trinity. “I disagree, Trinity. I think that the Matrix can be more real than this world. All I do is pull a plug here, and then...” – Cypher.

Historians, take note. In 2007, the virtual world and real world collided. As Federal District Judge Eduardo C. Robreno stated in the opening paragraph of his opinion, “While the property and the world where it is found is ‘virtual,’ the dispute is real.”

In this case, Marc Bragg (“Bragg”) sued Linden Research, Inc. (“Linden”) for unlawfully seizing his virtual real property and revoking his account. Linden operates a massive multiplayer online role-playing game (“MMORPG”) called Second Life. Second Life is an Internet-based virtual world, where its users, called "Residents", interact with each other through motional avatars. Second Life Residents interact, socialize and even conduct business. An integral part of Second Life's real world business model is the exchange of virtual currency known as the Linden Dollar. Residents purchase Linden Dollars with real U.S. Dollars. As noted in Judge Robreno’s opinion, “Second Life avatars may now buy, own and sell virtual goods ranging ‘from cars to homes to slot machines.’”

However, what makes Second Life unique in the MMORPG world is Linden’s recognition for its users’ property rights. In a press release dated November 14, 2003, Philip Rosedale, the Linden’s CEO touted, “The preservation of users’ property rights is a necessary step toward the emergence of genuinely real online worlds.” Plaintiff Bragg purchased virtual real property, the subject of which formed the basis of the lawsuit. In 2005, Plaintiff Bragg paid Linden to join Second Life and become a Resident. One year later, Bragg purchased several plots of virtual real property in Second Life and began to re-sell such parcels to other Residents for a profit. However, in April 2006, Linden sent Bragg a notice stating that he purchased virtual real property through an exploit and subsequently cancelled his account and confiscated all of Bragg’s virtual property. Bragg brought suit claiming misrepresentation and expropriation of property. Linden moved to dismiss for lack of jurisdiction and moved to compel arbitration.

Judge Robreno held that Linden, a California based company, was subject to jurisdiction in Pennsylvania because the interactive nature of its Internet “game” gave the Court specific jurisdiction by means of its minimum contacts. Second, the Court held that the arbitration clause contained in Second Life’s terms of service constituted an unconscionable contract of adhesion under California law and was therefore unenforceable. Specifically, Judge Robreno objected to the lack of mutuality in the contract, that arbitration must take place in California and that the arbitration must take place before a panel of three arbitrators, which is extraordinarily more expensive than pursuing this matter before the Court.

Although the legal issues addressed by the Pennsylvania Federal District Court may be found in standard contract law, the context in which this dispute arose is not ordinary. This virtual real property is a newly created commodity that may create a whole new set of rules and laws. Linden’s creation of Second Life property rights where real money is exchanged and monetary value is no longer considered “virtual” created real damages and real causes of action. The real question to be asked in this virtual world is not whether Linden will be sued again, but when and for what?

June 20, 2007

Preventing Data Breach and the GLBA: The Privacy Rule's Safe Harbor and Notice Requirements

“I’ll send an S.O.S. to the world… I’ll send an S.O.S. to the world… I hope that someone gets my… I hope that someone gets my… Message in a bottle…” – The Police.

The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information; it also prohibits individuals and companies from obtaining consumer information using false representations. However, critics often cite that the GLBA requirements are not specific enough and are subject to interpretation.

Question: How do financial institutions know when they are complying with the GLBA’s Privacy Rule?
Answer: The Safe Harbor Rule… for now.

The Safe Harbor Rule.

The Privacy Rule does not require any specific format or uniform wording to be included in an institution’s privacy notice. Instead, the GLBA allows an institution to draft its own privacy notice as long as it is clear and conspicuous and furnishes the required information. However, Congress recognizes that this broad discretion may result in some confusion. Therefore, Congress attached an appendix to the Privacy Rule that provided model language called “Sample Clauses.” With some specific industry exceptions, if a financial institution incorporated the Sample Clauses within its privacy notice, the financial institution has complied with the GLBA requirements as a matter of law.

Despite Congress’ efforts to ensure that privacy notices were clear and conspicuous, consumers and customers still complained about the notices. “Reaction to the first privacy notices delivered in July 2001 was highly negative… the notices received by millions were filled with legalese and confusing messages. Many consumers simply tossed the privacy notices, seeing them as just another bit of junk mail stuffed in with account statements.”

On October 13, 2006, Congress passed the Financial Services Regulatory Relief Act of 2006 (the “Relief Act”). The Relief Act charged eight federal agencies (the “Agencies”) to jointly develop a uniform model privacy notice, which would address concerns expressed by financial institutions and reduce consumer confusion. Specifically, the Relief Act instructed the new model form to:

  • Be comprehensible to consumers, with a clear format and design;

  • Provide for clear and conspicuous disclosures;

  • Enable consumers to easily identify the sharing practices of a financial institution and to compare privacy practices among financial institutions; and

  • Be succinct, and use an easily readable format.

On March 29, 2007, the Agencies submitted the Interagency Proposal for Model Privacy Form Under the Gramm-Leach-Bliley Act (the “Interagency Report”). The Interagency Report proposed several model forms that are straightforward and easier to understand than most privacy notices used by institutions today. The Interagency Report, if adopted, would eliminate the existing Sample Clauses and replace them with the proposed new model form. A financial institution could still elect to use the Sample Clauses, but would no longer receive safe-harbor protection. In order to provide a transition period for institutions to adopt the proposed new model forms, the Interagency Report recommended a one-year phase-in period once the final rule becomes effective.

Notice of Data Breach.

The FTC acknowledges that “perfect security” is not attainable and that breaches in security and data breaches may occur even when every reasonable precaution is taken. The GLBA does not specifically require institutions to notify their customers of a security breach or data breach. However, the Safeguards Rule does charge institutions with an “affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” In 2005, the FTC and other federal banking regulatory agencies adopted the Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice (the “Guidance”). The Guidance outlines a financial institution’s notice responsibilities when its consumers’ nonpublic personal information network is breached and highlights customer notice as a key feature of an institution’s response program.

Once a financial institution discovers that its network was breached and sensitive customer information has been or will be misused, the institution is required to notify its primary Federal regulator. Second, an institution is required to notify appropriate law enforcement authorities including filing a Suspicious Activity Report (“SAR”), when Federal criminal violations are involved. Next, if the institution determines that misuse of customer information has occurred or is likely, then the institution is required to notify its affected customers as soon as possible. However, an institution may delay customer notice if law enforcement determines that such notification will interfere with a criminal investigation. The customer notice must be clear and conspicuous and should be delivered in a manner designed to ensure that a customer can reasonably be expected to receive it. The customer notification shall include:

  • A description of the incident in general terms and the type of customer information that was subject to the unauthorized access or use;

  • A description of what the institution has done to protect the customer’s information from further unauthorized access;

  • A telephone number customers may call for further information and assistance;

  • A reminder that customers need to be vigilant over the next 12 to 24 months and to promptly report incidents of suspected identity theft to the institution.

The FTC Guidance report encourages, but does not require, institutions to include in their customer notice:

  • A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;

  • A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer reports to put the customer’s creditors on notice that the customer may be a victim of fraud;

  • A recommendation that the customer periodically obtains credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;

  • An explanation of how the customer may obtain a credit report free of charge;

  • Information about the availability of the FTC online guidance regarding steps a consumer can take to protect against identity theft.

The Guidance also encourages institutions to notify the nationwide consumer credit reporting agencies prior to sending notices to its customers. In addition to the FTC Guidance report, many states, such as California, passed their own breach notification laws. Institutions must be aware of each state’s requirements and comply accordingly.

Preventing Data Breach and the GLBA: The Privacy Rule

“It is the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”- 15 U.S.C.A. § 6801.

In 2006 an estimated 9 million American adults were the victims of identity theft at a total cost of $56.6 billion. There are a number of legislative efforts designed to protect the privacy, security, and confidentiality of customer data. One such law, the Gramm-Leach-Bliley Act (the “GLBA”), also known as the Financial Services Modernization Act of 1999, effectively repealed the Banking Act of 1933 and amended the Bank Holding Company Act of 1956.

The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information; it also prohibits individuals and companies from obtaining consumer information using false representations. The GLBA charged the Federal Trade Commission (the “FTC”), and other government agencies that regulate financial institutions, with the duty to enforce, carry out, and implement the GLBA.

The GLBA separates individual privacy protection into three principal categories: (1) the Financial Privacy Rule; (2) the Safeguards Rule; and (3) Pretexting Provisions. The Financial Privacy Rule and the Safeguards Rule apply to “financial institutions,” which include banks, securities firms, insurance companies and other companies providing financial products and services to consumers. The Pretexting Provisions apply to individuals and companies, who obtain or attempt to obtain personal financial information under false pretenses.

The Financial Privacy Rule.

The Financial Privacy Rule (the “Privacy Rule”) applies to financial institutions that collect and receive nonpublic personal information from consumers, and requires them to disclose and provide a written notice of its policies and procedures to its customers, stating how the customer’s nonpublic personal information is protected and shared. The privacy notice must also provide consumers with a reasonable opportunity to “opt-out” of any information sharing, if required by statute.

The term “financial institution” is defined as any business that is significantly engaged in activities that are financial in nature, as well as companies that receive information that is “incidental” or “complementary” to such financial activity. Financial activities include, but are not limited to lending, exchanging, transferring, investing for others, safeguarding money or securities, providing financial, investment, or economic advice, underwriting, dealing in or making a market in securities, non-bank mortgage lending, real estate settlement services, credit counseling, check-cashing services and individual tax return services.

Notice Requirements: Clear and Conspicuous.

First and foremost the privacy notice must be “clear and conspicuous.” This means that the notice must be understandable and designed to call attention to the nature and significance of the information within the notice. For example, the notice must use easily readable font, present the information in clear, concise sentences, using definite, everyday words, and short, explanatory sentences whenever possible. Similarly, any changes in the privacy policy must be clear and conspicuous and the consumer must be reasonably notified of such changes.

Disclosure Obligations: Consumer v. Customer.

The type and frequency of the notice is dependent on whether the information belongs to a “consumer” or a “customer.” The primary distinction between a consumer and a customer depends upon the relationship that exists between the individual and the financial institution.

A “consumer” is an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes. Typically, however, a consumer has a limited, “one time” connection with the financial institution. For example, a consumer may be an individual who uses an automatic teller machine to withdraw cash from an account he or she may have at another financial institution, or the consumer obtains a loan from a company that does not retain the rights to service the loan.

A financial institution is only required to send a privacy notice when it shares or intends to share the consumer’s nonpublic personal information with a nonaffiliated third party. Therefore, if a financial institution does not share or intend to share the consumer’s information with a nonaffiliated third party, no privacy notice is required.

A “customer” is a consumer who has a “continuing relationship” with the financial institution. It is the nature of the relationship, not how long it lasts, that defines a customer. For example, a customer may have a deposit or investment account with a bank, obtain a loan, purchase an insurance product or hold an investment account through a brokerage or investment company. If the consumer relationship is a principal one, then the consumer is also a customer.

Financial institutions are required to provide customers with a privacy notice as soon as the customer relationship is established, whether or not the institution plans to share the customer’s nonpublic personal information. Additionally, the institution is required to provide its customer with a privacy notice annually for as long as the customer relationship exists. For purposes of the Privacy Rule, a former customer is considered a consumer.

Required Information.

The privacy notice must accurately reflect the institution’s information collection and sharing practices. The privacy notice must contain the following:

  1. The categories of nonpublic personal information the institution collects;

  2. The categories of nonpublic personal information the institution discloses;

  3. The categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information (with certain statutory exceptions);

  4. The categories of nonpublic personal information the institution discloses about its former customers and the categories of affiliates and nonaffiliated third parties in which the institution shares its former customer information (with certain statutory exceptions);

  5. If an institution shares nonpublic personal information to a nonaffiliated third party, the institution is required to provide a separate statement of the categories of information institutions disclose and the categories of third parties with whom the institution contracted;

  6. An explanation of the customer’s rights to opt-out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time;

  7. Any disclosures an institution makes pursuant to the Fair Credit Reporting Act; and

  8. An institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.

In other words, a financial institution must provide written notice of its privacy policies and practices, describe the conditions under which the institution may disclose the consumer’s nonpublic personal information to nonaffiliated companies, and provide a method for consumers to opt-out of such information sharing, if required by law. The GLBA defines nonpublic personal information as “personally identifiable financial information provided by a consumer to a financial institution resulting from any transaction with the consumer or any service performed for the consumer or otherwise by the financial institution.” (e.g. first and last name, home address, email address, telephone number, Social Security number, credit card account number, and a customer number held in a “cookie” that identifies an individual consumer).

The Opt-Out Notice and its Exceptions: What is Required in an Opt-Out Notice?

If a financial institution intends to share nonpublic personal information with a nonaffiliated third party, the institution must provide its consumers with an opportunity to “opt-out” and instruct the institution not to share his or her nonpublic personal information in most instances. This opt-out notice is required to be delivered to the consumer within a reasonable time and must be included or incorporated within the privacy notice itself. Just like the privacy notice, the opt-out notice must be clear and conspicuous and state that: (1) the institution reserves the right to disclose the consumer’s nonpublic personal information to a nonaffiliated third party; (2) that the consumer has the right to opt-out; and (3) provide a reasonable means by which the consumer may opt-out. For example, an institution may provide the consumer with a toll-free telephone number or a detachable form which includes a check-off box and mailing information. However, the FTC determined that requiring a consumer to write a letter as the sole means to opt-out fails to meet the reasonable means standard.

The Exceptions to the Opt-Out Notice: Service Providers and Joint Marketing.

Financial institutions often contract with outside service providers to perform certain ordinary business functions such as data processing or servicing accounts. The opt-out requirements do not apply when financial institutions share information with service providers who perform such services or ordinary business functions on the institution’s behalf as long as: (1) the institution provides an initial notice to the consumer; and (2) the institution enters into a contractual agreement with the service provider that prohibits it from disclosing or using the information, other than to carry out the function for which it was hired. These service provider contracts should specify the appropriate use of consumer nonpublic personal information, the requirements for safeguarding such personal information, and expressly prohibit any unauthorized and unlawful use of personal information. This exception also applies to third parties who perform joint marketing services, such as the marketing of an institution’s own products and services or financial products offered by one or more affiliated financial institutions. Again, there must be a contractual agreement with the financial institution that carries out any joint marketing expressly prohibiting the disclosure of information, other than what is necessary in the ordinary course of business.

Servicing Transactions.

A second exception to the opt-out notice requirements allows the sharing of nonpublic personal information that is necessary for a financial institution to “effect, administer, or enforce” a transaction that a customer requests or authorizes. These customer-authorized transactions include: (1) servicing or processing a financial product or service that a consumer requests or authorizes; (2) maintaining or servicing the consumer’s account, including servicing another entity such as a private label credit card program; or (3) a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to the consumer. For example, the GLBA allows a financial institution to proceed with a consumer’s loan application without having to provide the consumer with an opt-out notice. The premise of this exception is that the consumer authorizes disclosure of personal information, which is necessary in order to obtain the loan(s) they requested.

Other Exceptions to Notice and Opt-Out Requirements.

Finally, Section 313.15 provides a laundry list of exceptions which allows a financial institution to disclose a consumer’s nonpublic personal information. These exceptions include:

  • When the customer consents to his or her information being shared.

  • To protect the confidentiality or security of the consumer’s records and to protect against or prevent actual or potential fraud.

  • To resolve customer disputes or inquiries.

  • To a consumer’s legally appointed representative, such as a power of attorney, or persons acting in a fiduciary capacity on the behalf of the consumer.

  • To provide information to insurance rate advisory organizations, guaranty funds, or agencies that rate the institution, persons assessing an institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors.

  • To the extent permitted or required by law and in accordance with the Right to Financial Privacy Act.

  • To a consumer reporting agency in accordance with the Fair Credit Reporting Act.

  • To comply with all Federal, State or local laws, including court orders.

June 19, 2007

Preventing Data Breach and the GLBA: The Safeguards Rule

“Safeguarding information is not a product, but a process.” – Thomas J. Smedinghoff

The GLBA’s Safeguards Rule requires financial institutions to conduct a thorough risk assessment of its security measures and design a comprehensive information security program to protect nonpublic personal information. Specifically, the Safeguards Rule requires financial institutions to “develop, implement, and maintain a comprehensive information security program that is written… and contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” The statutory objective of the Safeguards Rule is to: (1) ensure the security and confidentiality of customer information; (2) protect against anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

An Information Security Program Must be Appropriate.

The Safeguards Rule requires an institution to develop, implement, and maintain a comprehensive information security program that is written, contains administrative, technical and physical safeguards, is “appropriate” to the institution’s size and complexity, as well as the nature and scope of its activities, and is appropriate to the sensitivity of the customer information at issue. Therefore, an institution may exercise some latitude in developing its security program. While some critics may view this subjective standard as unenforceable, the FTC places a high level of responsibility upon financial institutions to keep up with the latest technology and the constant bombardment of potential identity thieves.

A Thorough Risk Assessment is Required.

The FTC requires companies to conduct a thorough risk assessment and address such risks to customer information in all areas of their operation, including administrative, technical, and physical safeguards. As part of the risk assessment, the Safeguards Rule requires an institution to:

  • Designate someone to coordinate the information security program;

  • Perform a thorough risk assessment and identify reasonably foreseeable
    internal and external risks to the security, confidentiality, and integrity of customer information that could result in unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.

Reactions to the Safeguards Rule were mixed. Many companies carefully considered the costs of compliance compared to the costs of non-compliance. In fact, John Eubank, president of Nationwide Mortgage Group, evaluated whether to close his company because it would cost him $70,000 to comply with the Safeguards Rule and approximately $250,000 to fight the FTC if he elected not to comply. The $250,000 did not include potential fines.

Another important factor for institutions to consider is the potential discoverability of risk assessments. If internal employees prepare the risk assessments, those assessments could be admitted as evidence, if they are relevant in court proceedings. For example, if a technical professional prepared a risk assessment indicating that the company should replace the firewall, and a security breach or data breach resulted due to the firewall before it could be replaced, the security assessment may be a damaging piece of evidence. To avoid potential discovery issues, companies should determine whether they could have their risk assessments covered by the attorney-client or the attorney work-product privileges. The rules regarding these privileges are state specific and should be examined carefully with experienced counsel.

Employee Training and Management.

The cost of compliance is related to employee training and management. A financial institution’s risk assessment should:

  • Check employee references and perform background checks;

  • Require employees to sign a confidentiality agreement;

  • Limit employee access to sensitive customer information;

  • Use password-activated screen savers to lock employee computers;

  • Encrypt customer files on laptops and other computers in case of theft;

  • Impose disciplinary measures for security policy violations;

  • Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names.

The FTC noted in one of its publications that “the success of your information security plan depends largely upon the employees who implement it.”

Information Systems.

Second, the Safeguards Rule requires a financial institution to assess its information systems, including network and software design, as well as information processing, storage, transmission, and disposal. A financial institution’s written information security plan should include both technology concerns and the physical storage and destruction of nonpublic personal information. For example:

  • Know where sensitive customer information is stored and stored securely;

  • Ensure that the computer or server is accessible only by using a “strong” password and is kept in a physically secure area;

  • Maintain secure backup records and keep archived data secure by storing it off-line and in a physically secure area;

  • Take affirmative steps to secure transmission of customer information;

  • Encrypt customer data if it is necessary for you to transmit such information by email or Internet;

  • If you collect information online directly from customers, secure the data transmission automatically;

  • Dispose of customer information consistent with the FTC’s Disposal Rule.

    • Plan for System Attacks.

      Third, the Safeguards Rule requires a financial institution to detect, prevent, and respond to attacks, intrusions, or other system failures. A financial institution must remain constantly vigilant, and employ the latest security measures and technology in order to adequately protect its network. The FTC Guidance report suggests that financial institutions:

    • Monitor the websites of software vendors and relevant industry publications for news about emerging threats and available defenses;

    • Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information;
    • Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information;

    • Take affirmative steps to preserve the security, confidentiality, and integrity of customer information and consider notifying consumers, law enforcement, and credit bureaus in the event of a security breach or data breach;

    • Oversee service providers by ensuring that they are able to take appropriate security precautions and in fact do so;

    • Update the security program as necessary in response to frequent monitoring and material changes in the business.
    • Implementing and Maintaining the Information Security Program.

      Finally, the Safeguards Rule requires a financial institution to design and implement information safeguards to control the risks identified and regularly test and monitor the effectiveness of the information security program’s key controls, systems, and procedures. This duty also
      includes overseeing third-party service providers by taking reasonable steps to ensure that the service provider is capable of maintaining appropriate safeguards and requiring the service providers to contractually agree to implement and maintain such controls. The Safeguards Rule requires a financial institution to evaluate and adjust its information security program in response to its system test results or in response to any changes in its operations or business circumstances.

      As Congress attempts to keep pace with the information age and balance the needs of commerce with those of individual protection, the Gramm-Leach-Bliley Act continues to evolve. Financial institutions must be aware of new Federal agency opinions as well as changing state laws. The Privacy and Safeguards Rules allow financial institutions to adopt policies and procedures that are appropriate for their specific needs and size, but the costs of compliance are often great. The costs of non-compliance can be even greater. As technology advances, so does the level of appropriateness a financial institution is required to maintain. Protecting the privacy of consumer information is not only good for business, it’s a legal duty.

California Judge Ruling May Force Companies to Drastically Alter Their Data Privacy Policies and the Business Implications Could Cost Millions!!!

“I don't know if it's such a hot idea to have a court confined to California. You would still get a court full of activist judges, and a court that doesn't represent the whole of the state." - Retired Judge Robert Bork

Always interesting and never ceasing to befuddle legal scholars, another California Federal Judge is attempting to re-write the Federal Rules of Evidence by requiring a popular BitTorrent indexing Web Site to preserve and disclose information kept on its computers’ random access memory (“RAM”). California Federal Magistrate Judge Jacqueline Chooljian ruled that information found in RAM is “electronically stored information” and therefore subject to the rules of evidence. If upheld on appeal, the implications of this ruling could force companies to rewrite their privacy policies and cost millions to implement.

MPAA v. TorrentSpy

In February 2006, six movie studios brought a Federal copyright infringement suit against TorrentSpy, a Web Site that allows peer-to-peer (“P2P”) file sharing. The MPAA’s alleges that TorrentSpy directs its users to files which allow downloading of copyrighted videos. The MPAA further contends that TorrentSpy’s RAM data will show that TorrentSpy is used primarily for copyright infringement. When the MPAA accused TorrentSpy of wrongfully withholding its login user information, TorrentSpy objected arguing that such information was transitory and by RAM’s very nature, takes the form of integrated circuits without the physical movement of the storage medium or a physical reading head. Stated another way, once the server’s login function is shut off, the information is gone. Judge Chooljian justified her decision stating that the Server Log Data was relevant and that the information was already “stored” in the RAM. Judge Chooljian then backtracked and inserted her own disclaimer stating that her ruling does not mean that litigants in all cases are required to preserve and produce data that is temporarily stored in RAM. Despite her reluctance or lack of intent, Judge Chooljian is most likely creating legal precedent that will be used in future DMCA cases.

The Business Impact on a Company’s Privacy Policies

This is the first highly publicized case in which a judge held that RAM was discoverable. The ramifications of this ruling would require a company to store, collect and turn over RAM data every time a company was sued. Preservation letters would become the new form of legal intimidation along with a Digital Millennium Copyright Act (“DMCA”) notice. Businesses may have to significantly re-write their data privacy policies essentially stating that a customer’s information is private… as long as they don’t get sued. The economic cost, both in manpower and infrastructure, of collecting and storing RAM data could be significant regardless of a company’s size.

Scorched Earth: The DirecTV End User Shakedown Part Deux

Another practical concern for TorrentSpy is that if it is forced to disclose RAM data about its end users, then the end users will be sued by the MPAA as well. Earlier this decade, DirecTV sued thousands of its own customers who registered on a Web Site that sold smart card equipment. Because there was no way to tell whether or not the registered users merely browsed the Web Sites, which required its visitors to login, or actually bought and used the smart cards for illegal purposes, DirecTV took a scorched earth policy and sued everyone… and I mean everyone. DirecTV apparently knew that most Americans cannot afford an expensive Federal court battle.

History has proven to repeat itself. Once Judge Chooljian forces TorrentSpy to release its RAM data and login user information, the MPAA may sue TorrentSpy’s many end users. Any residual sense of trust by and between the TorrentSpy and its login visitors will be lost. TorrentSpy’s Internet traffic will drastically decline due to end user fear of retribution by the MPAA. TorrentSpy may be forced out of business. The MPAA, RIAA or another aggressive plaintiff with considerable resources, can and will litigate an Internet company out of business if it is determined enough. The lesson learned from DirecTV is that an individual login user can be guilty by association regardless of intent. Judge Chooljian’s disclaimer will not put the genie back in the bottle.

“Et tu, Brute?"

Moore’s law states that the number of transistors on a chip, hence technology, doubles every two years. Newton’s law of motion states that for every action there is an equal and opposite reaction. In this digital and information age, where technology doubles every 2 years, an equal and opposite reaction has been the exponential dissolution of privacy. Americans love their privacy. Customers want to know that their data privacy is secure. Likewise, companies want to reassure their login users that their information is safe. However, privacy is becoming nothing more than Platonic idealism. The American judicial system was once considered a stalwart institution that protected an individual’s right to privacy. Judge Chooljian’s ruling makes it clear that an end of an era is near and that society is one step closer to fulfilling Scott Nealy’s prophetic words, “Privacy is dead, deal with it.”

June 4, 2007

Texas Attorney General Abbott Declares War on Identity Theft…and Holds Your Company Responsible

“Texans expect their personal information to remain confidential. The Office of the Attorney General will take all necessary steps to protect consumers from identity thieves.”
– Texas Attorney General Greg Abbott

Don’t mess with Texas and you better be sure not to mess with a Texan’s nonpublic personal information. Texas Attorney General Greg Abbott has declared war on identity theft and he’s holding companies responsible. Over the past several weeks, Mr. Abbott filed no less than six lawsuits against companies for violations of the Texas Identity Theft Enforcement and Protection Act of 2005, Tex. Bus. & Com. Code Ann. §§17.41, et seq., and the Tex. Bus. & Com. Code Ann. § 35.48. In May 2007, Attorney General Abbott filed an enforcement action against CNG Financial Corporation, its subsidiaries, and EZPAWN for improperly dumping customer records, including promissory notes and bank statements. In April, Attorney General Abbott took legal action against CVS/pharmacy and RadioShack Corporation for exposing hundreds of customers to identity theft by failing to properly dispose of records that contained sensitive information. In March, the Attorney General filed an enforcement action against Jones Beauty College in Dallas for improperly discarding student financial aid forms containing Social Security numbers and other personal information. Also in March, Attorney General Abbott took legal action against On Track Modeling, a North Carolina-based talent agency that abruptly shut down its North Texas office and abandoned more than 60 boxes containing hundreds of confidential client records.

The Identity Theft Enforcement and Protection Act.

The Identity Theft Enforcement and Protection Act (the “ITEP Act”), mandates that businesses have a legal duty to protect and safeguard sensitive personal information. Similar to the Gramm-Leach Bliley Act, the ITEP Act requires businesses that collect or maintain sensitive personal information in the regular course of business to implement and maintain reasonable procedures and corrective measures to protect and safeguard sensitive personal information from unlawful use or disclosure. Furthermore, the ITEP Act includes a “Dumpster Diving” provision where companies are required to destroy customer records no longer in use by shredding, erasing or modifying the records to make the information unreadable or undecipherable. Section 35.48 of the Texas Business & Commerce Code also mandates that companies destroy business records that contain personal identifying information in a secure manner. The ITEP Act provides an exception to financial institutions governed by the GLBA.

The ITEP Act requires corporations to give notice if their system security is breached and may compromise the security, confidentiality or integrity of sensitive personal information. A company must disclose such breach as quickly as possible by either written notice, electronic notice, or by providing conspicuous notice on its website and publishing or broadcasting such notice through the mass media. The type of disclosure depends upon the number of persons affected and the companion Federal statute, if any.

The State of Texas v. CNG Financial Corporation, Check ‘N Go of Texas, Inc. and Southwestern & Pacific Specialty Finance, Inc.

On May 24th, 2007, the Texas Attorney General filed an enforcement action against CNG Financial Corporation and its related entities, Check ‘n Go of Texas, Inc., and Southwestern & Pacific Specialty Finance, Inc. (herein after collectively referred to as “Defendants” or “Check ‘N Go”). The lawsuit claimed the Defendants violated the Identity Theft Enforcement and Protection Act, the Deceptive Trade Practices Act and the Credit Services Organizations Act. All of these claims are based upon the Defendants’ failure to protect its consumers’ sensitive personal information.

According to the lawsuit, Check ‘N Go is in the business of finding third party lenders to provide its customers cash advances, more commonly referred as payday loans or fast cash loans. These payday loans are short-term loans that are repaid via a pre-authorized withdrawal from the customer’s checking account on the next payday after the loan is given. In order to process the payday loans, Check ‘N Go collects a myriad of non-public personal information including but not limited to the applicant’s address, date of birth, Social Security number, and driver’s license number. Additionally, Chen ‘N Go collects the applicant’s employment information, his or her bank checking account number, bank routing number, the applicant’s signature and thumb print. However, according to the lawsuit, on numerous occasions and in several locations throughout Texas, Check ‘N Go disposed of its customers’ sensitive personal information without shredding or modifying the information in publicly available dumpsters located behind its retail locations.

First, the Defendants were charged with violating the Deceptive Trade Practices Act because they misrepresented to their customers in writing that they were “committed to protecting our customers’ privacy and security” by “restrict[ing] access to nonpublic personal information”, maintaining “physical, electronic and procedural safeguards… designed to safeguard your nonpublic personal information” and “prevent[ing] unauthorized access to your nonpublic personal information by regularly assessing our security standards and privacy policies, and by regularly training our employees and requiring our vendors to comply with those standards and policies.” Attorney General Abbott instead alleges that the Defendants “in truth and in fact… fail[ed] to safeguard sensitive personal information.” The lawsuit also contends that, “When specifically asked what would happen to their checks by at least two customers, Defendants represented to them that the checks would be shredded. In truth and in fact, the checks were dumped into the trash without even being torn.”

Second, the Defendants were charged with violating various provisions of the Texas Identity Theft Enforcement and Protection Act. Attorney General Abbott alleged that Check ‘N Go failed to implement and maintain reasonable procedures to protect and safeguard their customers’ sensitive personal information that it collected and especially failed to destroy or arrange to destroy its customer records in a secure manner.

Third, the Defendants were charged with violating the Texas Credit Services Organizations Act (the “CSOA”). The lawsuit claims that Check ‘N Go misrepresented the quality and degree of security and protection afforded to its customers’ sensitive personal identifying information that they provided in ordered to purchase credit services. Specifically, the lawsuit alleges that the Defendants represented in their privacy policies that “[w]e… protect… our customers’ privacy and security…” and then “dump[ed] such information into trash receptacles making it easily accessible to the public…”

Why is this lawsuit a big deal? It goes directly to Check ‘N Go’s bottom line. First, the Defendants cannot compete with the Texas government and its unlimited resources. Next, the Attorney General announced in a press conference to anyone who would listen, that Check ‘N Go was negligent and its customers’ may be at risk. The damage to Check ‘N Go’s brand image may not be immediately quantifiable, but in time the free market will let them know. Third, Attorney General Abbott sought a temporary injunction and a permanent injunction to prevent the Defendants from its current business practices. If granted, the injunctions will force the Defendants stop certain aspects of its business and that will cost Check ‘N Go time and money. Finally, Check ‘N Go will pay monetary damages to the State. How much money Check ‘N Go will pay is uncertain, but they will pay.

For violating Chapter 35 of the Texas Business Commerce & Commercial Code, the Defendants may be liable for a civil penalty of up to $500 for each record. Section 48.201 of the ITEP Act not only allows the Attorney General to seek a permanent injunction, but also exposes Defendants to a civil penalty of at least $2,000 and up to $50,000 against each Defendant. The DTPA adjudges a civil penalty against each Defendant up to $20,000 for each violation. Similarly, for violating the CSOA, each Defendant may be liable for up to $20,000 per violation. If the customers can be identified whose nonpublic personal information was unlawfully dumped, those customers may be awarded damages of “not less than the amount the consumer paid” Check ‘N Go in the first place. Finally, the Defendants are liable for the State’s reasonable attorney’s fees, investigatory costs and court costs.

In summary, the cost of noncompliance is high and very few companies have a check book that big.

May 31, 2007

The New Standard of Care: Data Encryption on Portable Devices

Approximately 60 percent of PDAs and 59 percent of laptops contain unprotected sensitive or confidential information. Almost half of businesses surveyed by the Ponemon Institute indicated that they would never be able to determine the actual information that they lost. There are a number of precautions businesses and their employees should take to ensure that they have met the minimum standard of care related to protecting sensitive data contained on laptops or other mobile devices. These security measures include:
• Protect information stored on the laptop with a secure password. It should consist of a combination of numbers and upper and lower-case letters.
• Implement advanced security measures such as Remote Laptop Security and laptop encryption.
• Be sure that all important data contained on the laptop is backed up.
• Make use of physical security measures like locks and cables. These security devices make theft more difficult and thereby discourage thieves from taking your machine.
• When leaving a laptop in the office, make sure it is hidden and secured.
• Keep your laptop in an inconspicuous case. Flashy cases expose your computer by attracting thieves’ attention. A simple padded messenger bag can suffice as a protective container.
• When using a laptop for meetings or conferences, always keep it in your sight. Do not leave the room without taking the laptop with you.

The Ernst & Young laptop theft in Miami could have been prevented if employees had followed these simple instructions. Furthermore, the companies whose data was stolen could have easily identified the compromised data if the companies regularly backed up the information contained on the laptops. Finally, all of the information could have been protected if it was encrypted. Only 65 percent of the Ponemon survey respondents claimed that their organizations utilize encryption to protect information.

May 30, 2007

The Leahy-Specter Personal Data Privacy and Security Act of 2007 (Part 3 of 3)

The Act “guarantee[s] that the Federal Government is not wasting money on inaccurate data and that vendors are undertaking the security programs that they have promised and for which the government is paying.” – Senator Russ Feingold

“I’ve got some ocean front property in Arizona. From my front porch you can see the sea. And if you’ll buy that I’ll throw in the Golden Gate for free.” – George Strait

Although Senator Feingold’s optimism is well placed, it may be overstated. However, if the Act is passed as presented, the Federal Government will take a substantial step forward in protecting personally identifiable information. Title IV of the Act requires the Federal Government to evaluate the privacy and security program of all data brokers who bid for government contracts in excess of $500,000. Yes, Virginia, even our own Federal Government hires data brokers in order to find out more about you, the taxpayer.

Title IV’s requirements are very specific. The General Services Administration is in charge of reviewing: (1) the data privacy and security program of a data broker to ensure the privacy and security of data containing the personally identifiable information, including whether such program adequately addresses privacy and security threats created by malicious software or code, or the use of peer-to-peer file sharing software; (2) the compliance of a data broker with such program; (3) the extent to which the databases and systems containing personally identifiable information of a data broker have been compromised by security breaches; and (4) the response by a data broker to such breaches, including the efforts by such data broker to mitigate the impact of such security breaches.

Just like the GLBA, Title IV provides a compliance safe harbor. Section 401(b) states, “The data privacy and security program of a data broker shall be deemed sufficient… if the data broker complies with or provides protection equal to industry standards, as identified by the Federal Trade Commission, that are applicable to the type of personally identifiable information involved in the ordinary course of business of such data broker.” This compliance safe harbor is vague at best and punts the proverbial football over to the FTC to define what exactly “protection equal to industry standards” means.

If a data broker wants to bid on a government contract, the Act also requires Federal agencies to complete a privacy impact assessment, under section 208 of the E-Government Act of 2002. The privacy impact statement must address the use of commercial information services that contain personally identifiable information. This privacy impact assessment must be completed before the Federal agency enters into a data broker contract and must include a laundry list of specific information regarding the data broker, the broker’s data privacy and security program, and information about the government contract, itself. The privacy impact assessment must include a description of: (1) the database; (2) the name of the data broker; and (3) the contract amount. Additionally, a data broker must adopt regulations that specify: (1) the personnel permitted to access, analyze or use such databases; (2) standards governing the access, analysis, or use of such databases; (3) any standards used to ensure that the personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal agency; (4) standards limiting the retention and redisclosure of personally identifiable information obtained from such databases; (5) procedures ensuring that such data meets standards of accuracy, relevance, completeness and timeliness; (6) the auditing and security measures to protect against unauthorized access, analysis, use or modification of data in such databases; (7) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases; (8) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and (9) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases. If the contract exceeds $500,000, then the government contract must also include penalties for failing to comply with Title III of the Act and for failing to comply with the data broker’s own data privacy and security program.

Interestingly, Title IV also requires the Department of Justice to create a department-wide Chief Privacy Officer who reports directly to the Deputy Attorney General. The Chief Privacy Officer shall oversee the D.O.J.’s implementation of Title IV’s privacy impact assessment requirements and to coordinate with the Privacy and Civil Liberties Oversight Board.

Congress may not pass the Data and Privacy Security Act into law this legislative session. However, law makers and industry leaders agree that this bill is long overdue and that it will eventually pass. The only remaining question is in what form will it pass and when?

The Leahy-Specter Personal Data Privacy and Security Act of 2007 (Part 2 of 3)

“In the information age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the databases they use and maintain.” – Senator Patrick Leahy.

As noted in Part I of this report, the 110th Congress will pass the Leahy-Specter Personal Data Privacy and Security Act of 2007 (the “Privacy and Security Act” or “the Act”). This Privacy and Security Act is unique because it specifically applies to data brokers, businesses that collect personal information and government agencies.

Part II of this report, focuses on the Act’s “Safeguards Rule” and the legal duty imposed upon all businesses that handle sensitive personally identifiable information to create a Data Privacy and Security Program.

Title III – Privacy and Security of Personally Identifiable Information.
Senators Leahy and Specter wanted to ensure that all businesses, which handle sensitive personally identifiable information, develop and implement administrative, technical, and physical safeguards to protect such information. Title III mirrors the Safeguards Rule requirements found in the Gramm-Leach-Bliley Act (the “GLBA”). Accordingly, the Privacy and Security Act excludes financial institutions that are already governed by the GLBA. Similarly, the Act excludes all entities governed by the Health Insurance Portability and Accountability Act of 1996.

Data Privacy and Security Program. Title III applies to all businesses that collect, access, transmit, use, store or dispose personally identifiable information of 10,000 or more American citizens. The Act requires such businesses to create and implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards “appropriate” to the size and complexity of the business and the “nature and scope” of its activities. The data privacy and security program must be designed to ensure the privacy, security, and confidentiality of sensitive personally identifiable information, protect against any anticipated vulnerabilities to the privacy, security or integrity of such information and protect against unauthorized access to such information that could result in substantial harm or inconvenience to the individual.

The Act requires a business to conduct a thorough risk assessment and identify internal and external vulnerabilities that could result in the unauthorized access, disclosure, use or alteration of sensitive personally identifiable information or systems containing such information. A business must determine the likelihood of a network breach and the potential damage, if such breach occurred. The risk assessment must also review policies, technologies and safeguards a business employs to minimize unauthorized access and assess how it disposes of sensitive personally identifiable information.

Based upon its risk assessment, a business shall design, adopt and implement a personal data privacy and security program. Once again, the measures adopted shall be appropriate to the sensitivity of the data as well as the business’ size, complexity, and scope of activities. The Privacy and Security Act requires that businesses control access to personally identifiable information, detect unauthorized attempts to gain access to such information, protect the information by encryption or other reasonable means, and to dispose of personally identifiable information securely. The Act also requires a business to train its employees regarding its data security program and to ensure that they follow its policies and procedures. Finally, the Act requires companies to frequently test its data security program for vulnerabilities and update their systems accordingly.

Just like the GLBA, the Privacy and Security Act holds companies responsible for their third-party service providers. For example, a business must exercise due diligence and take reasonable steps to select only those service providers that are capable of maintaining appropriate safeguards for the security, privacy and integrity of sensitive personally identifiable information. There must be a contractual agreement by and between the business and the service provider that expressly states the service provider will implement and maintain appropriate measures to protect private information in accordance with the Act. Again, a business must periodically assess the security measures employed by its service providers.

Enforcement. The Federal Trade Commission is charged with enforcing Title III. If a business violates Title III, it may be enjoined and fined civil penalties up to $5,000 per violation per day, for a maximum of $500,000. If the violations are found to be intentional or willful, then a business may be fined an additional $5,000 per violation per day, up to a maximum of $500,000. Just like Title II, States are permitted to bring a civil action in Federal Court. However, the State attorney general must first provide written notice to the FTC. If the FTC already proceeded against the violator, the State attorney general is barred from bringing a separate claim. Hence, Federal authority may be exclusive and trumps all State actions. Individuals are once again barred from bringing a private cause of action.

Do you have a comprehensive data protection program in place? The attorneys at Scott & Scott LLP are the knowledge leaders in privacy, security and IT compliance. Contact us today before the government calls you.

The Leahy-Specter Personal Data Privacy and Security Act of 2007 (Part 1 of 3)

“The world is digital and so is our personal data. In this day and age, almost everything we do results in a third party creating a digital record about us – digital records that we may not even realize exist.” – Senator Russ Feingold.

Congress wants to protect your sensitive personally identifiable information, but this time they meant it. No, seriously, they really do, and they’re willing to throw you in jail to prove their point. Personally identifiable information is a valuable commodity that is bought, sold and of course, stolen. In 2006, over 9,300,000 Americans were victims of identity theft. According to the Better Business Bureau, each victim lost approximately $6,300 and spent over 40 hours on the phone with creditors and credit bureaus to clear their names. Businesses collectively lose $50 billion a year from identity thieves.

In 2005, Senator Patrick Leahy (D-VT) and Senator Arlen Specter (R-PA) introduced a bill, which attempted to protect an individuals’ private information. However, influential critics of this bill viewed it as “unfriendly” to business and the bill was never brought up for vote. In 2007, the political winds shifted and the legislative gavel changed hands. Senators Leahy and Specter reintroduced their bill, joining forces with Senator Dianne Feinstein (D-CA) and Senator Russ Feingold (D-WI). Now, it looks like the 110th Congress will pass the Leahy-Specter Personal Data Privacy and Security Act of 2007 (the “Privacy and Security Act” or “the Act”). Congress recently received the blessing of Microsoft and other private ndustry leaders, therefore it is highly anticipated that Federal Government will pass the Privacy and Security Act within the next couple of months.

This Privacy and Security Act associates identity theft to organized crime and imposes new criminal penalties for intentionally concealing a data security breach. The Act is also unique because it regulates data brokers, all businesses that collect personal information, and… the Federal Government, itself.

This report is divided into three parts. Part I will briefly discuss the new criminal penalties imposed for intentionally violating the new legal reporting requirements for data brokers. Part II focuses on the Act’s “Safeguards Rule” and the legal duty imposed upon all businesses that handle sensitive personally identifiable information to create a Data Privacy and Security Program. Finally, Part III briefly discusses that certain government agencies are required to designate a Chief Privacy Officer and ensure that data brokers which are under government contract have a sufficient data and security program in place.

Title I – Enhancing Punishment for Identity Theft.

The Privacy and Security Act significantly enhances the punishment for identity theft by associating such activity with organized crime. Specifically, the Privacy and Security Act adds subsection 18 U.S.C. § 1030(a)(2)(D) relating to fraud and related activity in connection with unauthorized access to sensitive personally identifiable information. Furthermore, the Act makes it a criminal offense to conceal a security breach, even if such concealment only harms 1 individual. That’s, right. The Privacy and Security Act could land a Chief Privacy Officer in the Federal Penitentiary for up to 5 years, if he or she “knowingly” fails to provide notice of a breach to individuals, if required under Title III of the Act, and he or she attempts to “intentionally and willfully” conceal such breach. To make matters more exciting, the Act puts the United States Secret Service in charge of investigating all alleged offenses. The Act does require that the offender knowingly, intentionally and willfully violate the Act. However, the Privacy and Security Act does make it clear that senior management, corporate officers or their employees will be held criminally responsible for knowing and complying with the law. Remember, ignorance of the law is not an excuse.

Title II - Data Brokers.

The Act is unique because Congress publicly acknowledges that data about individuals is bought and sold and that such data is not merely limited the information found in a credit report. The Act applies to data brokers engaging in interstate commerce. Congress defines a “data broker” as “a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.”

Legal Duties. The Privacy and Security Act requires data brokers to disclose to individuals, for a reasonable fee of course, all personal electronic records pertaining to that individual that the data brokers collect and sell to third-parties. The disclosures must also include instructions on the procedures to correct any inaccurate information. If the individual disputes the accuracy or completeness of the information, the data broker shall determine within 30 days, whether the information accurately reflects information found in the public record. If the disputed information did not come from the public record, then the data broker shall investigate and determine whether the personally identifiable information is accurate and complete, free of charge this time. If the data broker determines that the disputed information is in fact inaccurate, then the data broker must correct the information accordingly. If an individual requests, the data broker must also provide the name of the entity providing the disputed information and how to contact the entity. However, if the data broker reasonably determines that the individual’s initial dispute is “frivolous” or “intended to perpetuate fraud”, the data broker may decline to investigate and terminate its review as long as it notifies the individual in writing.

Enforcement. The Federal Trade Commission (“FTC”) is charged with enforcing the Privacy and Security Act. If a data broker violates Title II, it may be enjoined and fined civil penalties up to $1,000 per violation per day, for a maximum of $250,000. If a state law is broken, States are still permitted to bring a civil action in Federal Court. However, the State attorney general must first provide written notice to the FTC, if feasible. Otherwise, the State must provide the FTC with a copy of the complaint as soon as practicable. If the FTC already proceeded against the data broker under the Act, the State attorney general may not bring its own claims against the violator. Hence, Federal authority trumps all State actions. Finally, individuals are not allowed to bring private causes of action against a data broker for violating the Act.

Recent Federal Government Data Breaches

Private businesses are not the only victims of theft relating to confidential information. In the largest security breach on record involving Social Security numbers, a U.S. Department of Veteran’s Affairs employee violated agency policy and took a laptop containing the sensitive personal information of 26.5 million veterans discharged after 1975. Burglars stole the laptop from the employee’s home. The information stolen included names, Social Security numbers, disability ratings, spouses, and dates of birth. In June, veterans filed class-action lawsuits seeking $1,000.00 for each of the 26.5 million people listed in the missing database files.

The Transportation Security Administration acknowledged that it recently lost a hard drive containing 100,000 archived employee records. The TSA purchased credit monitoring services for employees whose data was involved in the breach.

On a smaller scale, two Federal Trade Commission laptops disappeared from a locked trunk. The FTC attorneys were working on a case, and were authorized to have the laptops. The information on the laptops included the names, addresses, Social Security numbers, financial account information, and dates of birth for persons the FTC had investigated. The laptops did not contain any information about FTC employees or government officials. Ironically, the laptops contained sensitive personal information for defendants that had been investigated for stealing other people’s identities. The FTC offered free credit monitoring for 110 people as a result of the theft.

May 8, 2007

Using Insurance Coverage to Mitigate Risks Associated with Data Breaches

Many commercial liability policies do not provide coverage for data security breaches. However, some insurance providers are offering businesses new types of coverage specifically designed to assist with the new risks associated with technology, including costs associated with data breaches. Initially, many corporate identity or security breach insurance policies will defray the costs associated with investigating the breach to determine whether state laws require notification of the breach. Additionally, the insurance coverage will provide assistance to pay for the costs associated with breach notification requirements.

The new policies include coverage for the following claims:
• Failure of network security;
• Wrongful disclosure of private or confidential information;
• Failure to protect confidential or private information; and
• Violations of federal, state, or local privacy statutes.
Many companies face tremendous negative publicity after they experience a data loss or security breach. New corporate identity theft insurance policies will also assist with the costs associated with defraying damage to the company’s reputation following a security breach. The insurance coverage will provide crisis management and reimbursement for public relations expenses.

Most importantly, the insurance coverage will provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG’s Corporate Identity Protection offers a unique product that covers administrative expenses resulting from an administrative action related to a breach of personal information. Like a traditional commercial policy, the security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the unfortunate event that the company experiences a data or security breach. Finally, the insurance products also cover the costs post-event services, like credit monitoring and identity theft education, to the individuals affected by the security breach.

State Class Action Litigation Related to Privacy Breaches

Although the Privacy Act does not apply to private businesses, entities whose data has been breached, like Ernst & Young and General Electric, must ensure that they comply with the relevant state security breach notification statutes. Thirty-four states already have security breach notification laws in effect. If a company suspects that its data has been breached, it is critical for the company to determine which state breach notification laws apply to its data breach, and it must comply with the specific terms of each of the notification laws.

In addition to breach notification laws, companies that experience a data loss must also be concerned that the affected individuals will file a civil suit seeking redress for their damages. For instance, a group of plaintiffs filed a class-action lawsuit against Providence Health Systems – Oregon for negligent loss and disclosure of protected health information and for violation of Oregon’s Unlawful Trade Practices Act.

In the Providence case, Providence’s employee left the office with tape back ups and disks containing more than 365,000 patient records. The employee left the information in the car, where it was stolen. When the patients indicated that they would like Providence to protect them from possible identity theft by providing credit monitoring, Providence refused and suggested that the patients take steps to protect themselves.

Because the information stolen was medical information, plaintiffs claimed that Providence violated the Oregon statute requiring protection of medical information. Plaintiffs further sought damages under the Unlawful Trade Practices Act because Providence represented that it would keep all personal information confidential when it sold medical services and products to the patients.

April 23, 2007

Jurisdictional Issues Arising in the Global Compliance Arena

It is sometimes difficult to predict what laws will apply to a particular compliance issue. For instance, in Section 814 of the Patriot Act, the U.S. Congress extended the jurisdiction of its federal law enforcement officers to include crimes that do not occur in the U.S. or have any victims in the U.S. It could be argued that “[e]very nation has the right to extend the scope of its law beyond its borders to protect the rights and property of its own nationals.” See Security Focus: Ashcroft’s Global Internet Power-Grab by Mark Rasch located at However, when neither the criminal nor the victims reside in the U.S., it is difficult to determine what protections are being afforded to citizens. There is no question that lawmakers and politicians are focusing on trends in technology. Robert Holleyman, CEO and President of the Business Software Alliance applauded recent trends. “The Congress and the President will face important policy decisions this year, and we remain hopeful that any new policies will enhance the future of American innovation,” Holleyman said. “We look forward to working with the Congress and the Bush Administration to enact legislation and promote policies that will ensure a robust, competitive environment for our economy generally, and for information technology specifically.”

The United States’ efforts to expand its jurisdiction over defendants who do not reside in the United States is not unique. For example, other countries have exercised jurisdiction over foreign defendants in hacking cases. In one highly publicized case, a British company and a Russian company were embroiled in a legal battle with a state-owned company in Tajikstan. When the British company’s computers were hacked, the British company made a claim against the Russian company under Sections 1 and 2 of the British Computer Misuse Act of 1990. See Out-Law News: Russian Hacking Case Can be Heard in England, Says Judge located at The court based its conclusion on the fact that the server was located in the U.K. and therefore, the most significant element of the offense occurred in the U.K.

When faced with a foreign lawsuit, some companies elect to ignore the proceedings and allow the plaintiff to receive an award by default. This approach can have dire consequences. For example, Spamhaus, a British company that maintains a spam blacklist was sued in the United States by e360 Insight. Spamhaus concluded that the Illinois court did not have jurisdiction over it and declined to appear or defend itself in the action. See Out-Law News: Spamhaus decides to fight first US court Action located at The Illinois court entered a default judgment in favor of e360 Insight for $11.7 million. The court also instructed ICANN to suspend the domain. ICANN claimed it did not have the power to suspend the domain, but indicated that Spamhaus’ hosting company would do so. With precedents like Spamhaus, defendants may be reluctant to ignore foreign lawsuits. The best strategy is to consult with legal counsel in both jurisdictions and formulate an approach that minimizes your risks without jeopardizing your legal position.

April 19, 2007

Privacy and Data Security Act of 2007

Since February 2005, approximately 100 million records containing personal information have been subject to a security breach. More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft. The state provisions are not uniform, and are often difficult to reconcile. Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.

After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform. One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information.

Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws. Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident.

Privacy and Data Security Act of 2007

Since February 2005, approximately 100 million records containing personal information have been subject to a security breach. More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft. The state provisions are not uniform, and are often difficult to reconcile. Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.

After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform. One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information.

Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws. Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident.

About Julie Machal-Fulks

This page contains an archive of all entries posted to Business and Technology Law in the Julie Machal-Fulks category. They are listed from oldest to newest.

Jonathan C. Scott is the previous category.

Keli Johnson is the next category.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.32