Business and Technology Law

Since February 2005, approximately 100 million records containing personal information have been subject to a security breach. More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft. The state provisions are not uniform, and are often difficult to reconcile. Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.

After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform. One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information.

Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws. Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident.

Since February 2005, approximately 100 million records containing personal information have been subject to a security breach. More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft. The state provisions are not uniform, and are often difficult to reconcile. Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.

After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform. One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information.

Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws. Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident.

It is sometimes difficult to predict what laws will apply to a particular compliance issue. For instance, in Section 814 of the Patriot Act, the U.S. Congress extended the jurisdiction of its federal law enforcement officers to include crimes that do not occur in the U.S. or have any victims in the U.S. It could be argued that “[e]very nation has the right to extend the scope of its law beyond its borders to protect the rights and property of its own nationals.” See Security Focus: Ashcroft’s Global Internet Power-Grab by Mark Rasch located at www.securityfocus.com/columnists/39. However, when neither the criminal nor the victims reside in the U.S., it is difficult to determine what protections are being afforded to citizens. There is no question that lawmakers and politicians are focusing on trends in technology. Robert Holleyman, CEO and President of the Business Software Alliance applauded recent trends. “The Congress and the President will face important policy decisions this year, and we remain hopeful that any new policies will enhance the future of American innovation,” Holleyman said. “We look forward to working with the Congress and the Bush Administration to enact legislation and promote policies that will ensure a robust, competitive environment for our economy generally, and for information technology specifically.”

The United States’ efforts to expand its jurisdiction over defendants who do not reside in the United States is not unique. For example, other countries have exercised jurisdiction over foreign defendants in hacking cases. In one highly publicized case, a British company and a Russian company were embroiled in a legal battle with a state-owned company in Tajikstan. When the British company’s computers were hacked, the British company made a claim against the Russian company under Sections 1 and 2 of the British Computer Misuse Act of 1990. See Out-Law News: Russian Hacking Case Can be Heard in England, Says Judge located at www.out-law.com/page-7434. The court based its conclusion on the fact that the server was located in the U.K. and therefore, the most significant element of the offense occurred in the U.K.

When faced with a foreign lawsuit, some companies elect to ignore the proceedings and allow the plaintiff to receive an award by default. This approach can have dire consequences. For example, Spamhaus, a British company that maintains a spam blacklist was sued in the United States by e360 Insight. Spamhaus concluded that the Illinois court did not have jurisdiction over it and declined to appear or defend itself in the action. See Out-Law News: Spamhaus decides to fight first US court Action located at http://www.out-law.com/page-7404. The Illinois court entered a default judgment in favor of e360 Insight for $11.7 million. The court also instructed ICANN to suspend the spamhaus.org domain. ICANN claimed it did not have the power to suspend the domain, but indicated that Spamhaus’ hosting company would do so. With precedents like Spamhaus, defendants may be reluctant to ignore foreign lawsuits. The best strategy is to consult with legal counsel in both jurisdictions and formulate an approach that minimizes your risks without jeopardizing your legal position.

Although the Privacy Act does not apply to private businesses, entities whose data has been breached, like Ernst & Young and General Electric, must ensure that they comply with the relevant state security breach notification statutes. Thirty-four states already have security breach notification laws in effect. If a company suspects that its data has been breached, it is critical for the company to determine which state breach notification laws apply to its data breach, and it must comply with the specific terms of each of the notification laws.

In addition to breach notification laws, companies that experience a data loss must also be concerned that the affected individuals will file a civil suit seeking redress for their damages. For instance, a group of plaintiffs filed a class-action lawsuit against Providence Health Systems – Oregon for negligent loss and disclosure of protected health information and for violation of Oregon’s Unlawful Trade Practices Act.

In the Providence case, Providence’s employee left the office with tape back ups and disks containing more than 365,000 patient records. The employee left the information in the car, where it was stolen. When the patients indicated that they would like Providence to protect them from possible identity theft by providing credit monitoring, Providence refused and suggested that the patients take steps to protect themselves.

Because the information stolen was medical information, plaintiffs claimed that Providence violated the Oregon statute requiring protection of medical information. Plaintiffs further sought damages under the Unlawful Trade Practices Act because Providence represented that it would keep all personal information confidential when it sold medical services and products to the patients.

Many commercial liability policies do not provide coverage for data security breaches. However, some insurance providers are offering businesses new types of coverage specifically designed to assist with the new risks associated with technology, including costs associated with data breaches. Initially, many corporate identity or security breach insurance policies will defray the costs associated with investigating the breach to determine whether state laws require notification of the breach. Additionally, the insurance coverage will provide assistance to pay for the costs associated with breach notification requirements.

The new policies include coverage for the following claims:
• Failure of network security;
• Wrongful disclosure of private or confidential information;
• Failure to protect confidential or private information; and
• Violations of federal, state, or local privacy statutes.

Most importantly, the insurance coverage will provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG’s Corporate Identity Protection offers a unique product that covers administrative expenses resulting from an administrative action related to a breach of personal information. Like a traditional commercial policy, the security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the unfortunate event that the company experiences a data or security breach. Finally, the insurance products also cover the costs post-event services, like credit monitoring and identity theft education, to the individuals affected by the security breach.

Private businesses are not the only victims of theft relating to confidential information. In the largest security breach on record involving Social Security numbers, a U.S. Department of Veteran’s Affairs employee violated agency policy and took a laptop containing the sensitive personal information of 26.5 million veterans discharged after 1975. Burglars stole the laptop from the employee’s home. The information stolen included names, Social Security numbers, disability ratings, spouses, and dates of birth. In June, veterans filed class-action lawsuits seeking $1,000.00 for each of the 26.5 million people listed in the missing database files.

The Transportation Security Administration acknowledged that it recently lost a hard drive containing 100,000 archived employee records. The TSA purchased credit monitoring services for employees whose data was involved in the breach.

On a smaller scale, two Federal Trade Commission laptops disappeared from a locked trunk. The FTC attorneys were working on a case, and were authorized to have the laptops. The information on the laptops included the names, addresses, Social Security numbers, financial account information, and dates of birth for persons the FTC had investigated. The laptops did not contain any information about FTC employees or government officials. Ironically, the laptops contained sensitive personal information for defendants that had been investigated for stealing other people’s identities. The FTC offered free credit monitoring for 110 people as a result of the theft.

“The world is digital and so is our personal data. In this day and age, almost everything we do results in a third party creating a digital record about us – digital records that we may not even realize exist.” – Senator Russ Feingold.

Congress wants to protect your sensitive personally identifiable information, but this time they meant it. No, seriously, they really do, and they’re willing to throw you in jail to prove their point. Personally identifiable information is a valuable commodity that is bought, sold and of course, stolen. In 2006, over 9,300,000 Americans were victims of identity theft. According to the Better Business Bureau, each victim lost approximately $6,300 and spent over 40 hours on the phone with creditors and credit bureaus to clear their names. Businesses collectively lose $50 billion a year from identity thieves.

In 2005, Senator Patrick Leahy (D-VT) and Senator Arlen Specter (R-PA) introduced a bill, which attempted to protect an individuals’ private information. However, influential critics of this bill viewed it as “unfriendly” to business and the bill was never brought up for vote. In 2007, the political winds shifted and the legislative gavel changed hands. Senators Leahy and Specter reintroduced their bill, joining forces with Senator Dianne Feinstein (D-CA) and Senator Russ Feingold (D-WI). Now, it looks like the 110th Congress will pass the Leahy-Specter Personal Data Privacy and Security Act of 2007 (the “Privacy and Security Act” or “the Act”). Congress recently received the blessing of Microsoft and other private ndustry leaders, therefore it is highly anticipated that Federal Government will pass the Privacy and Security Act within the next couple of months.

This Privacy and Security Act associates identity theft to organized crime and imposes new criminal penalties for intentionally concealing a data security breach. The Act is also unique because it regulates data brokers, all businesses that collect personal information, and… the Federal Government, itself.

This report is divided into three parts. Part I will briefly discuss the new criminal penalties imposed for intentionally violating the new legal reporting requirements for data brokers. Part II focuses on the Act’s “Safeguards Rule” and the legal duty imposed upon all businesses that handle sensitive personally identifiable information to create a Data Privacy and Security Program. Finally, Part III briefly discusses that certain government agencies are required to designate a Chief Privacy Officer and ensure that data brokers which are under government contract have a sufficient data and security program in place.

Title I – Enhancing Punishment for Identity Theft.

The Privacy and Security Act significantly enhances the punishment for identity theft by associating such activity with organized crime. Specifically, the Privacy and Security Act adds subsection 18 U.S.C. § 1030(a)(2)(D) relating to fraud and related activity in connection with unauthorized access to sensitive personally identifiable information. Furthermore, the Act makes it a criminal offense to conceal a security breach, even if such concealment only harms 1 individual. That’s, right. The Privacy and Security Act could land a Chief Privacy Officer in the Federal Penitentiary for up to 5 years, if he or she “knowingly” fails to provide notice of a breach to individuals, if required under Title III of the Act, and he or she attempts to “intentionally and willfully” conceal such breach. To make matters more exciting, the Act puts the United States Secret Service in charge of investigating all alleged offenses. The Act does require that the offender knowingly, intentionally and willfully violate the Act. However, the Privacy and Security Act does make it clear that senior management, corporate officers or their employees will be held criminally responsible for knowing and complying with the law. Remember, ignorance of the law is not an excuse.

Title II - Data Brokers.

The Act is unique because Congress publicly acknowledges that data about individuals is bought and sold and that such data is not merely limited the information found in a credit report. The Act applies to data brokers engaging in interstate commerce. Congress defines a “data broker” as “a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.”

Legal Duties. The Privacy and Security Act requires data brokers to disclose to individuals, for a reasonable fee of course, all personal electronic records pertaining to that individual that the data brokers collect and sell to third-parties. The disclosures must also include instructions on the procedures to correct any inaccurate information. If the individual disputes the accuracy or completeness of the information, the data broker shall determine within 30 days, whether the information accurately reflects information found in the public record. If the disputed information did not come from the public record, then the data broker shall investigate and determine whether the personally identifiable information is accurate and complete, free of charge this time. If the data broker determines that the disputed information is in fact inaccurate, then the data broker must correct the information accordingly. If an individual requests, the data broker must also provide the name of the entity providing the disputed information and how to contact the entity. However, if the data broker reasonably determines that the individual’s initial dispute is “frivolous” or “intended to perpetuate fraud”, the data broker may decline to investigate and terminate its review as long as it notifies the individual in writing.

Enforcement. The Federal Trade Commission (“FTC”) is charged with enforcing the Privacy and Security Act. If a data broker violates Title II, it may be enjoined and fined civil penalties up to $1,000 per violation per day, for a maximum of $250,000. If a state law is broken, States are still permitted to bring a civil action in Federal Court. However, the State attorney general must first provide written notice to the FTC, if feasible. Otherwise, the State must provide the FTC with a copy of the complaint as soon as practicable. If the FTC already proceeded against the data broker under the Act, the State attorney general may not bring its own claims against the violator. Hence, Federal authority trumps all State actions. Finally, individuals are not allowed to bring private causes of action against a data broker for violating the Act.

“In the information age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the databases they use and maintain.” – Senator Patrick Leahy.

As noted in Part I of this report, the 110th Congress will pass the Leahy-Specter Personal Data Privacy and Security Act of 2007 (the “Privacy and Security Act” or “the Act”). This Privacy and Security Act is unique because it specifically applies to data brokers, businesses that collect personal information and government agencies.

Part II of this report, focuses on the Act’s “Safeguards Rule” and the legal duty imposed upon all businesses that handle sensitive personally identifiable information to create a Data Privacy and Security Program.

Title III – Privacy and Security of Personally Identifiable Information.
Senators Leahy and Specter wanted to ensure that all businesses, which handle sensitive personally identifiable information, develop and implement administrative, technical, and physical safeguards to protect such information. Title III mirrors the Safeguards Rule requirements found in the Gramm-Leach-Bliley Act (the “GLBA”). Accordingly, the Privacy and Security Act excludes financial institutions that are already governed by the GLBA. Similarly, the Act excludes all entities governed by the Health Insurance Portability and Accountability Act of 1996.

Data Privacy and Security Program. Title III applies to all businesses that collect, access, transmit, use, store or dispose personally identifiable information of 10,000 or more American citizens. The Act requires such businesses to create and implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards “appropriate” to the size and complexity of the business and the “nature and scope” of its activities. The data privacy and security program must be designed to ensure the privacy, security, and confidentiality of sensitive personally identifiable information, protect against any anticipated vulnerabilities to the privacy, security or integrity of such information and protect against unauthorized access to such information that could result in substantial harm or inconvenience to the individual.

The Act requires a business to conduct a thorough risk assessment and identify internal and external vulnerabilities that could result in the unauthorized access, disclosure, use or alteration of sensitive personally identifiable information or systems containing such information. A business must determine the likelihood of a network breach and the potential damage, if such breach occurred. The risk assessment must also review policies, technologies and safeguards a business employs to minimize unauthorized access and assess how it disposes of sensitive personally identifiable information.

Based upon its risk assessment, a business shall design, adopt and implement a personal data privacy and security program. Once again, the measures adopted shall be appropriate to the sensitivity of the data as well as the business’ size, complexity, and scope of activities. The Privacy and Security Act requires that businesses control access to personally identifiable information, detect unauthorized attempts to gain access to such information, protect the information by encryption or other reasonable means, and to dispose of personally identifiable information securely. The Act also requires a business to train its employees regarding its data security program and to ensure that they follow its policies and procedures. Finally, the Act requires companies to frequently test its data security program for vulnerabilities and update their systems accordingly.

Just like the GLBA, the Privacy and Security Act holds companies responsible for their third-party service providers. For example, a business must exercise due diligence and take reasonable steps to select only those service providers that are capable of maintaining appropriate safeguards for the security, privacy and integrity of sensitive personally identifiable information. There must be a contractual agreement by and between the business and the service provider that expressly states the service provider will implement and maintain appropriate measures to protect private information in accordance with the Act. Again, a business must periodically assess the security measures employed by its service providers.

Enforcement. The Federal Trade Commission is charged with enforcing Title III. If a business violates Title III, it may be enjoined and fined civil penalties up to $5,000 per violation per day, for a maximum of $500,000. If the violations are found to be intentional or willful, then a business may be fined an additional $5,000 per violation per day, up to a maximum of $500,000. Just like Title II, States are permitted to bring a civil action in Federal Court. However, the State attorney general must first provide written notice to the FTC. If the FTC already proceeded against the violator, the State attorney general is barred from bringing a separate claim. Hence, Federal authority may be exclusive and trumps all State actions. Individuals are once again barred from bringing a private cause of action.

Do you have a comprehensive data protection program in place? The attorneys at Scott & Scott LLP are the knowledge leaders in privacy, security and IT compliance. Contact us today before the government calls you.

The Act “guarantee[s] that the Federal Government is not wasting money on inaccurate data and that vendors are undertaking the security programs that they have promised and for which the government is paying.” – Senator Russ Feingold

“I’ve got some ocean front property in Arizona. From my front porch you can see the sea. And if you’ll buy that I’ll throw in the Golden Gate for free.” – George Strait

Although Senator Feingold’s optimism is well placed, it may be overstated. However, if the Act is passed as presented, the Federal Government will take a substantial step forward in protecting personally identifiable information. Title IV of the Act requires the Federal Government to evaluate the privacy and security program of all data brokers who bid for government contracts in excess of $500,000. Yes, Virginia, even our own Federal Government hires data brokers in order to find out more about you, the taxpayer.

Title IV’s requirements are very specific. The General Services Administration is in charge of reviewing: (1) the data privacy and security program of a data broker to ensure the privacy and security of data containing the personally identifiable information, including whether such program adequately addresses privacy and security threats created by malicious software or code, or the use of peer-to-peer file sharing software; (2) the compliance of a data broker with such program; (3) the extent to which the databases and systems containing personally identifiable information of a data broker have been compromised by security breaches; and (4) the response by a data broker to such breaches, including the efforts by such data broker to mitigate the impact of such security breaches.

Just like the GLBA, Title IV provides a compliance safe harbor. Section 401(b) states, “The data privacy and security program of a data broker shall be deemed sufficient… if the data broker complies with or provides protection equal to industry standards, as identified by the Federal Trade Commission, that are applicable to the type of personally identifiable information involved in the ordinary course of business of such data broker.” This compliance safe harbor is vague at best and punts the proverbial football over to the FTC to define what exactly “protection equal to industry standards” means.

If a data broker wants to bid on a government contract, the Act also requires Federal agencies to complete a privacy impact assessment, under section 208 of the E-Government Act of 2002. The privacy impact statement must address the use of commercial information services that contain personally identifiable information. This privacy impact assessment must be completed before the Federal agency enters into a data broker contract and must include a laundry list of specific information regarding the data broker, the broker’s data privacy and security program, and information about the government contract, itself. The privacy impact assessment must include a description of: (1) the database; (2) the name of the data broker; and (3) the contract amount. Additionally, a data broker must adopt regulations that specify: (1) the personnel permitted to access, analyze or use such databases; (2) standards governing the access, analysis, or use of such databases; (3) any standards used to ensure that the personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal agency; (4) standards limiting the retention and redisclosure of personally identifiable information obtained from such databases; (5) procedures ensuring that such data meets standards of accuracy, relevance, completeness and timeliness; (6) the auditing and security measures to protect against unauthorized access, analysis, use or modification of data in such databases; (7) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases; (8) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and (9) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases. If the contract exceeds $500,000, then the government contract must also include penalties for failing to comply with Title III of the Act and for failing to comply with the data broker’s own data privacy and security program.

Interestingly, Title IV also requires the Department of Justice to create a department-wide Chief Privacy Officer who reports directly to the Deputy Attorney General. The Chief Privacy Officer shall oversee the D.O.J.’s implementation of Title IV’s privacy impact assessment requirements and to coordinate with the Privacy and Civil Liberties Oversight Board.

Congress may not pass the Data and Privacy Security Act into law this legislative session. However, law makers and industry leaders agree that this bill is long overdue and that it will eventually pass. The only remaining question is in what form will it pass and when?

Approximately 60 percent of PDAs and 59 percent of laptops contain unprotected sensitive or confidential information. Almost half of businesses surveyed by the Ponemon Institute indicated that they would never be able to determine the actual information that they lost. There are a number of precautions businesses and their employees should take to ensure that they have met the minimum standard of care related to protecting sensitive data contained on laptops or other mobile devices. These security measures include:
• Protect information stored on the laptop with a secure password. It should consist of a combination of numbers and upper and lower-case letters.
• Implement advanced security measures such as Remote Laptop Security and laptop encryption.
• Be sure that all important data contained on the laptop is backed up.
• Make use of physical security measures like locks and cables. These security devices make theft more difficult and thereby discourage thieves from taking your machine.
• When leaving a laptop in the office, make sure it is hidden and secured.
• Keep your laptop in an inconspicuous case. Flashy cases expose your computer by attracting thieves’ attention. A simple padded messenger bag can suffice as a protective container.
• When using a laptop for meetings or conferences, always keep it in your sight. Do not leave the room without taking the laptop with you.

The Ernst & Young laptop theft in Miami could have been prevented if employees had followed these simple instructions. Furthermore, the companies whose data was stolen could have easily identified the compromised data if the companies regularly backed up the information contained on the laptops. Finally, all of the information could have been protected if it was encrypted. Only 65 percent of the Ponemon survey respondents claimed that their organizations utilize encryption to protect information.

“Texans expect their personal information to remain confidential. The Office of the Attorney General will take all necessary steps to protect consumers from identity thieves.”
– Texas Attorney General Greg Abbott

Don’t mess with Texas and you better be sure not to mess with a Texan’s nonpublic personal information. Texas Attorney General Greg Abbott has declared war on identity theft and he’s holding companies responsible. Over the past several weeks, Mr. Abbott filed no less than six lawsuits against companies for violations of the Texas Identity Theft Enforcement and Protection Act of 2005, Tex. Bus. & Com. Code Ann. §§17.41, et seq., and the Tex. Bus. & Com. Code Ann. § 35.48. In May 2007, Attorney General Abbott filed an enforcement action against CNG Financial Corporation, its subsidiaries, and EZPAWN for improperly dumping customer records, including promissory notes and bank statements. In April, Attorney General Abbott took legal action against CVS/pharmacy and RadioShack Corporation for exposing hundreds of customers to identity theft by failing to properly dispose of records that contained sensitive information. In March, the Attorney General filed an enforcement action against Jones Beauty College in Dallas for improperly discarding student financial aid forms containing Social Security numbers and other personal information. Also in March, Attorney General Abbott took legal action against On Track Modeling, a North Carolina-based talent agency that abruptly shut down its North Texas office and abandoned more than 60 boxes containing hundreds of confidential client records.

The Identity Theft Enforcement and Protection Act.

The Identity Theft Enforcement and Protection Act (the “ITEP Act”), mandates that businesses have a legal duty to protect and safeguard sensitive personal information. Similar to the Gramm-Leach Bliley Act, the ITEP Act requires businesses that collect or maintain sensitive personal information in the regular course of business to implement and maintain reasonable procedures and corrective measures to protect and safeguard sensitive personal information from unlawful use or disclosure. Furthermore, the ITEP Act includes a “Dumpster Diving” provision where companies are required to destroy customer records no longer in use by shredding, erasing or modifying the records to make the information unreadable or undecipherable. Section 35.48 of the Texas Business & Commerce Code also mandates that companies destroy business records that contain personal identifying information in a secure manner. The ITEP Act provides an exception to financial institutions governed by the GLBA.

The ITEP Act requires corporations to give notice if their system security is breached and may compromise the security, confidentiality or integrity of sensitive personal information. A company must disclose such breach as quickly as possible by either written notice, electronic notice, or by providing conspicuous notice on its website and publishing or broadcasting such notice through the mass media. The type of disclosure depends upon the number of persons affected and the companion Federal statute, if any.

The State of Texas v. CNG Financial Corporation, Check ‘N Go of Texas, Inc. and Southwestern & Pacific Specialty Finance, Inc.

On May 24th, 2007, the Texas Attorney General filed an enforcement action against CNG Financial Corporation and its related entities, Check ‘n Go of Texas, Inc., and Southwestern & Pacific Specialty Finance, Inc. (herein after collectively referred to as “Defendants” or “Check ‘N Go”). The lawsuit claimed the Defendants violated the Identity Theft Enforcement and Protection Act, the Deceptive Trade Practices Act and the Credit Services Organizations Act. All of these claims are based upon the Defendants’ failure to protect its consumers’ sensitive personal information.

According to the lawsuit, Check ‘N Go is in the business of finding third party lenders to provide its customers cash advances, more commonly referred as payday loans or fast cash loans. These payday loans are short-term loans that are repaid via a pre-authorized withdrawal from the customer’s checking account on the next payday after the loan is given. In order to process the payday loans, Check ‘N Go collects a myriad of non-public personal information including but not limited to the applicant’s address, date of birth, Social Security number, and driver’s license number. Additionally, Chen ‘N Go collects the applicant’s employment information, his or her bank checking account number, bank routing number, the applicant’s signature and thumb print. However, according to the lawsuit, on numerous occasions and in several locations throughout Texas, Check ‘N Go disposed of its customers’ sensitive personal information without shredding or modifying the information in publicly available dumpsters located behind its retail locations.

First, the Defendants were charged with violating the Deceptive Trade Practices Act because they misrepresented to their customers in writing that they were “committed to protecting our customers’ privacy and security” by “restrict[ing] access to nonpublic personal information”, maintaining “physical, electronic and procedural safeguards… designed to safeguard your nonpublic personal information” and “prevent[ing] unauthorized access to your nonpublic personal information by regularly assessing our security standards and privacy policies, and by regularly training our employees and requiring our vendors to comply with those standards and policies.” Attorney General Abbott instead alleges that the Defendants “in truth and in fact… fail[ed] to safeguard sensitive personal information.” The lawsuit also contends that, “When specifically asked what would happen to their checks by at least two customers, Defendants represented to them that the checks would be shredded. In truth and in fact, the checks were dumped into the trash without even being torn.”

Second, the Defendants were charged with violating various provisions of the Texas Identity Theft Enforcement and Protection Act. Attorney General Abbott alleged that Check ‘N Go failed to implement and maintain reasonable procedures to protect and safeguard their customers’ sensitive personal information that it collected and especially failed to destroy or arrange to destroy its customer records in a secure manner.

Third, the Defendants were charged with violating the Texas Credit Services Organizations Act (the “CSOA”). The lawsuit claims that Check ‘N Go misrepresented the quality and degree of security and protection afforded to its customers’ sensitive personal identifying information that they provided in ordered to purchase credit services. Specifically, the lawsuit alleges that the Defendants represented in their privacy policies that “[w]e… protect… our customers’ privacy and security…” and then “dump[ed] such information into trash receptacles making it easily accessible to the public…”

Why is this lawsuit a big deal? It goes directly to Check ‘N Go’s bottom line. First, the Defendants cannot compete with the Texas government and its unlimited resources. Next, the Attorney General announced in a press conference to anyone who would listen, that Check ‘N Go was negligent and its customers’ may be at risk. The damage to Check ‘N Go’s brand image may not be immediately quantifiable, but in time the free market will let them know. Third, Attorney General Abbott sought a temporary injunction and a permanent injunction to prevent the Defendants from its current business practices. If granted, the injunctions will force the Defendants stop certain aspects of its business and that will cost Check ‘N Go time and money. Finally, Check ‘N Go will pay monetary damages to the State. How much money Check ‘N Go will pay is uncertain, but they will pay.

For violating Chapter 35 of the Texas Business Commerce & Commercial Code, the Defendants may be liable for a civil penalty of up to $500 for each record. Section 48.201 of the ITEP Act not only allows the Attorney General to seek a permanent injunction, but also exposes Defendants to a civil penalty of at least $2,000 and up to $50,000 against each Defendant. The DTPA adjudges a civil penalty against each Defendant up to $20,000 for each violation. Similarly, for violating the CSOA, each Defendant may be liable for up to $20,000 per violation. If the customers can be identified whose nonpublic personal information was unlawfully dumped, those customers may be awarded damages of “not less than the amount the consumer paid” Check ‘N Go in the first place. Finally, the Defendants are liable for the State’s reasonable attorney’s fees, investigatory costs and court costs.

In summary, the cost of noncompliance is high and very few companies have a check book that big.

“I don't know if it's such a hot idea to have a court confined to California. You would still get a court full of activist judges, and a court that doesn't represent the whole of the state." - Retired Judge Robert Bork

Always interesting and never ceasing to befuddle legal scholars, another California Federal Judge is attempting to re-write the Federal Rules of Evidence by requiring a popular BitTorrent indexing Web Site to preserve and disclose information kept on its computers’ random access memory (“RAM”). California Federal Magistrate Judge Jacqueline Chooljian ruled that information found in RAM is “electronically stored information” and therefore subject to the rules of evidence. If upheld on appeal, the implications of this ruling could force companies to rewrite their privacy policies and cost millions to implement.

MPAA v. TorrentSpy

In February 2006, six movie studios brought a Federal copyright infringement suit against TorrentSpy, a Web Site that allows peer-to-peer (“P2P”) file sharing. The MPAA’s alleges that TorrentSpy directs its users to files which allow downloading of copyrighted videos. The MPAA further contends that TorrentSpy’s RAM data will show that TorrentSpy is used primarily for copyright infringement. When the MPAA accused TorrentSpy of wrongfully withholding its login user information, TorrentSpy objected arguing that such information was transitory and by RAM’s very nature, takes the form of integrated circuits without the physical movement of the storage medium or a physical reading head. Stated another way, once the server’s login function is shut off, the information is gone. Judge Chooljian justified her decision stating that the Server Log Data was relevant and that the information was already “stored” in the RAM. Judge Chooljian then backtracked and inserted her own disclaimer stating that her ruling does not mean that litigants in all cases are required to preserve and produce data that is temporarily stored in RAM. Despite her reluctance or lack of intent, Judge Chooljian is most likely creating legal precedent that will be used in future DMCA cases.

The Business Impact on a Company’s Privacy Policies

This is the first highly publicized case in which a judge held that RAM was discoverable. The ramifications of this ruling would require a company to store, collect and turn over RAM data every time a company was sued. Preservation letters would become the new form of legal intimidation along with a Digital Millennium Copyright Act (“DMCA”) notice. Businesses may have to significantly re-write their data privacy policies essentially stating that a customer’s information is private… as long as they don’t get sued. The economic cost, both in manpower and infrastructure, of collecting and storing RAM data could be significant regardless of a company’s size.

Scorched Earth: The DirecTV End User Shakedown Part Deux

Another practical concern for TorrentSpy is that if it is forced to disclose RAM data about its end users, then the end users will be sued by the MPAA as well. Earlier this decade, DirecTV sued thousands of its own customers who registered on a Web Site that sold smart card equipment. Because there was no way to tell whether or not the registered users merely browsed the Web Sites, which required its visitors to login, or actually bought and used the smart cards for illegal purposes, DirecTV took a scorched earth policy and sued everyone… and I mean everyone. DirecTV apparently knew that most Americans cannot afford an expensive Federal court battle.

History has proven to repeat itself. Once Judge Chooljian forces TorrentSpy to release its RAM data and login user information, the MPAA may sue TorrentSpy’s many end users. Any residual sense of trust by and between the TorrentSpy and its login visitors will be lost. TorrentSpy’s Internet traffic will drastically decline due to end user fear of retribution by the MPAA. TorrentSpy may be forced out of business. The MPAA, RIAA or another aggressive plaintiff with considerable resources, can and will litigate an Internet company out of business if it is determined enough. The lesson learned from DirecTV is that an individual login user can be guilty by association regardless of intent. Judge Chooljian’s disclaimer will not put the genie back in the bottle.

“Et tu, Brute?"

Moore’s law states that the number of transistors on a chip, hence technology, doubles every two years. Newton’s law of motion states that for every action there is an equal and opposite reaction. In this digital and information age, where technology doubles every 2 years, an equal and opposite reaction has been the exponential dissolution of privacy. Americans love their privacy. Customers want to know that their data privacy is secure. Likewise, companies want to reassure their login users that their information is safe. However, privacy is becoming nothing more than Platonic idealism. The American judicial system was once considered a stalwart institution that protected an individual’s right to privacy. Judge Chooljian’s ruling makes it clear that an end of an era is near and that society is one step closer to fulfilling Scott Nealy’s prophetic words, “Privacy is dead, deal with it.”

“Safeguarding information is not a product, but a process.” – Thomas J. Smedinghoff

The GLBA’s Safeguards Rule requires financial institutions to conduct a thorough risk assessment of its security measures and design a comprehensive information security program to protect nonpublic personal information. Specifically, the Safeguards Rule requires financial institutions to “develop, implement, and maintain a comprehensive information security program that is written… and contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” The statutory objective of the Safeguards Rule is to: (1) ensure the security and confidentiality of customer information; (2) protect against anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

An Information Security Program Must be Appropriate.

The Safeguards Rule requires an institution to develop, implement, and maintain a comprehensive information security program that is written, contains administrative, technical and physical safeguards, is “appropriate” to the institution’s size and complexity, as well as the nature and scope of its activities, and is appropriate to the sensitivity of the customer information at issue. Therefore, an institution may exercise some latitude in developing its security program. While some critics may view this subjective standard as unenforceable, the FTC places a high level of responsibility upon financial institutions to keep up with the latest technology and the constant bombardment of potential identity thieves.

A Thorough Risk Assessment is Required.

The FTC requires companies to conduct a thorough risk assessment and address such risks to customer information in all areas of their operation, including administrative, technical, and physical safeguards. As part of the risk assessment, the Safeguards Rule requires an institution to:

• Designate someone to coordinate the information security program;


• Perform a thorough risk assessment and identify reasonably foreseeable
  internal and external risks to the security, confidentiality, and integrity of customer information that could result in unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.

Another important factor for institutions to consider is the potential discoverability of risk assessments. If internal employees prepare the risk assessments, those assessments could be admitted as evidence, if they are relevant in court proceedings. For example, if a technical professional prepared a risk assessment indicating that the company should replace the firewall, and a security breach or data breach resulted due to the firewall before it could be replaced, the security assessment may be a damaging piece of evidence. To avoid potential discovery issues, companies should determine whether they could have their risk assessments covered by the attorney-client or the attorney work-product privileges. The rules regarding these privileges are state specific and should be examined carefully with experienced counsel.

Employee Training and Management.

The cost of compliance is related to employee training and management. A financial institution’s risk assessment should:

• Check employee references and perform background checks;


• Require employees to sign a confidentiality agreement;


• Limit employee access to sensitive customer information;


• Use password-activated screen savers to lock employee computers;


• Encrypt customer files on laptops and other computers in case of theft;


• Impose disciplinary measures for security policy violations;


• Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names.

Information Systems.

Second, the Safeguards Rule requires a financial institution to assess its information systems, including network and software design, as well as information processing, storage, transmission, and disposal. A financial institution’s written information security plan should include both technology concerns and the physical storage and destruction of nonpublic personal information. For example:

• Know where sensitive customer information is stored and stored securely;


• Ensure that the computer or server is accessible only by using a “strong” password and is kept in a physically secure area;


• Maintain secure backup records and keep archived data secure by storing it off-line and in a physically secure area;


• Take affirmative steps to secure transmission of customer information;


• Encrypt customer data if it is necessary for you to transmit such information by email or Internet;


• If you collect information online directly from customers, secure the data transmission automatically;


• Dispose of customer information consistent with the FTC’s Disposal Rule.



Plan for System Attacks.

Third, the Safeguards Rule requires a financial institution to detect, prevent, and respond to attacks, intrusions, or other system failures. A financial institution must remain constantly vigilant, and employ the latest security measures and technology in order to adequately protect its network. The FTC Guidance report suggests that financial institutions:

• Monitor the websites of software vendors and relevant industry publications for news about emerging threats and available defenses;

Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information;

• Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information;


• Take affirmative steps to preserve the security, confidentiality, and integrity of customer information and consider notifying consumers, law enforcement, and credit bureaus in the event of a security breach or data breach;


• Oversee service providers by ensuring that they are able to take appropriate security precautions and in fact do so;


• Update the security program as necessary in response to frequent monitoring and material changes in the business.

Implementing and Maintaining the Information Security Program.

Finally, the Safeguards Rule requires a financial institution to design and implement information safeguards to control the risks identified and regularly test and monitor the effectiveness of the information security program’s key controls, systems, and procedures. This duty also
includes overseeing third-party service providers by taking reasonable steps to ensure that the service provider is capable of maintaining appropriate safeguards and requiring the service providers to contractually agree to implement and maintain such controls. The Safeguards Rule requires a financial institution to evaluate and adjust its information security program in response to its system test results or in response to any changes in its operations or business circumstances.

As Congress attempts to keep pace with the information age and balance the needs of commerce with those of individual protection, the Gramm-Leach-Bliley Act continues to evolve. Financial institutions must be aware of new Federal agency opinions as well as changing state laws. The Privacy and Safeguards Rules allow financial institutions to adopt policies and procedures that are appropriate for their specific needs and size, but the costs of compliance are often great. The costs of non-compliance can be even greater. As technology advances, so does the level of appropriateness a financial institution is required to maintain. Protecting the privacy of consumer information is not only good for business, it’s a legal duty.

“It is the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”- 15 U.S.C.A. § 6801.

In 2006 an estimated 9 million American adults were the victims of identity theft at a total cost of $56.6 billion. There are a number of legislative efforts designed to protect the privacy, security, and confidentiality of customer data. One such law, the Gramm-Leach-Bliley Act (the “GLBA”), also known as the Financial Services Modernization Act of 1999, effectively repealed the Banking Act of 1933 and amended the Bank Holding Company Act of 1956.

The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information; it also prohibits individuals and companies from obtaining consumer information using false representations. The GLBA charged the Federal Trade Commission (the “FTC”), and other government agencies that regulate financial institutions, with the duty to enforce, carry out, and implement the GLBA.

The GLBA separates individual privacy protection into three principal categories: (1) the Financial Privacy Rule; (2) the Safeguards Rule; and (3) Pretexting Provisions. The Financial Privacy Rule and the Safeguards Rule apply to “financial institutions,” which include banks, securities firms, insurance companies and other companies providing financial products and services to consumers. The Pretexting Provisions apply to individuals and companies, who obtain or attempt to obtain personal financial information under false pretenses.

The Financial Privacy Rule.

The Financial Privacy Rule (the “Privacy Rule”) applies to financial institutions that collect and receive nonpublic personal information from consumers, and requires them to disclose and provide a written notice of its policies and procedures to its customers, stating how the customer’s nonpublic personal information is protected and shared. The privacy notice must also provide consumers with a reasonable opportunity to “opt-out” of any information sharing, if required by statute.

The term “financial institution” is defined as any business that is significantly engaged in activities that are financial in nature, as well as companies that receive information that is “incidental” or “complementary” to such financial activity. Financial activities include, but are not limited to lending, exchanging, transferring, investing for others, safeguarding money or securities, providing financial, investment, or economic advice, underwriting, dealing in or making a market in securities, non-bank mortgage lending, real estate settlement services, credit counseling, check-cashing services and individual tax return services.

Notice Requirements: Clear and Conspicuous.

First and foremost the privacy notice must be “clear and conspicuous.” This means that the notice must be understandable and designed to call attention to the nature and significance of the information within the notice. For example, the notice must use easily readable font, present the information in clear, concise sentences, using definite, everyday words, and short, explanatory sentences whenever possible. Similarly, any changes in the privacy policy must be clear and conspicuous and the consumer must be reasonably notified of such changes.

Disclosure Obligations: Consumer v. Customer.

The type and frequency of the notice is dependent on whether the information belongs to a “consumer” or a “customer.” The primary distinction between a consumer and a customer depends upon the relationship that exists between the individual and the financial institution.

A “consumer” is an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes. Typically, however, a consumer has a limited, “one time” connection with the financial institution. For example, a consumer may be an individual who uses an automatic teller machine to withdraw cash from an account he or she may have at another financial institution, or the consumer obtains a loan from a company that does not retain the rights to service the loan.

A financial institution is only required to send a privacy notice when it shares or intends to share the consumer’s nonpublic personal information with a nonaffiliated third party. Therefore, if a financial institution does not share or intend to share the consumer’s information with a nonaffiliated third party, no privacy notice is required.

A “customer” is a consumer who has a “continuing relationship” with the financial institution. It is the nature of the relationship, not how long it lasts, that defines a customer. For example, a customer may have a deposit or investment account with a bank, obtain a loan, purchase an insurance product or hold an investment account through a brokerage or investment company. If the consumer relationship is a principal one, then the consumer is also a customer.

Financial institutions are required to provide customers with a privacy notice as soon as the customer relationship is established, whether or not the institution plans to share the customer’s nonpublic personal information. Additionally, the institution is required to provide its customer with a privacy notice annually for as long as the customer relationship exists. For purposes of the Privacy Rule, a former customer is considered a consumer.

Required Information.

The privacy notice must accurately reflect the institution’s information collection and sharing practices. The privacy notice must contain the following:

1. The categories of nonpublic personal information the institution collects;


2. The categories of nonpublic personal information the institution discloses;


3. The categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information (with certain statutory exceptions);


4. The categories of nonpublic personal information the institution discloses about its former customers and the categories of affiliates and nonaffiliated third parties in which the institution shares its former customer information (with certain statutory exceptions);


5. If an institution shares nonpublic personal information to a nonaffiliated third party, the institution is required to provide a separate statement of the categories of information institutions disclose and the categories of third parties with whom the institution contracted;


6. An explanation of the customer’s rights to opt-out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time;


7. Any disclosures an institution makes pursuant to the Fair Credit Reporting Act; and


8. An institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.

The Opt-Out Notice and its Exceptions: What is Required in an Opt-Out Notice?

If a financial institution intends to share nonpublic personal information with a nonaffiliated third party, the institution must provide its consumers with an opportunity to “opt-out” and instruct the institution not to share his or her nonpublic personal information in most instances. This opt-out notice is required to be delivered to the consumer within a reasonable time and must be included or incorporated within the privacy notice itself. Just like the privacy notice, the opt-out notice must be clear and conspicuous and state that: (1) the institution reserves the right to disclose the consumer’s nonpublic personal information to a nonaffiliated third party; (2) that the consumer has the right to opt-out; and (3) provide a reasonable means by which the consumer may opt-out. For example, an institution may provide the consumer with a toll-free telephone number or a detachable form which includes a check-off box and mailing information. However, the FTC determined that requiring a consumer to write a letter as the sole means to opt-out fails to meet the reasonable means standard.

The Exceptions to the Opt-Out Notice: Service Providers and Joint Marketing.

Financial institutions often contract with outside service providers to perform certain ordinary business functions such as data processing or servicing accounts. The opt-out requirements do not apply when financial institutions share information with service providers who perform such services or ordinary business functions on the institution’s behalf as long as: (1) the institution provides an initial notice to the consumer; and (2) the institution enters into a contractual agreement with the service provider that prohibits it from disclosing or using the information, other than to carry out the function for which it was hired. These service provider contracts should specify the appropriate use of consumer nonpublic personal information, the requirements for safeguarding such personal information, and expressly prohibit any unauthorized and unlawful use of personal information. This exception also applies to third parties who perform joint marketing services, such as the marketing of an institution’s own products and services or financial products offered by one or more affiliated financial institutions. Again, there must be a contractual agreement with the financial institution that carries out any joint marketing expressly prohibiting the disclosure of information, other than what is necessary in the ordinary course of business.

Servicing Transactions.

A second exception to the opt-out notice requirements allows the sharing of nonpublic personal information that is necessary for a financial institution to “effect, administer, or enforce” a transaction that a customer requests or authorizes. These customer-authorized transactions include: (1) servicing or processing a financial product or service that a consumer requests or authorizes; (2) maintaining or servicing the consumer’s account, including servicing another entity such as a private label credit card program; or (3) a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to the consumer. For example, the GLBA allows a financial institution to proceed with a consumer’s loan application without having to provide the consumer with an opt-out notice. The premise of this exception is that the consumer authorizes disclosure of personal information, which is necessary in order to obtain the loan(s) they requested.

Other Exceptions to Notice and Opt-Out Requirements.

Finally, Section 313.15 provides a laundry list of exceptions which allows a financial institution to disclose a consumer’s nonpublic personal information. These exceptions include:

• When the customer consents to his or her information being shared.


• To protect the confidentiality or security of the consumer’s records and to protect against or prevent actual or potential fraud.


• To resolve customer disputes or inquiries.


• To a consumer’s legally appointed representative, such as a power of attorney, or persons acting in a fiduciary capacity on the behalf of the consumer.


• To provide information to insurance rate advisory organizations, guaranty funds, or agencies that rate the institution, persons assessing an institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors.


• To the extent permitted or required by law and in accordance with the Right to Financial Privacy Act.


• To a consumer reporting agency in accordance with the Fair Credit Reporting Act.


• To comply with all Federal, State or local laws, including court orders.

“I’ll send an S.O.S. to the world… I’ll send an S.O.S. to the world… I hope that someone gets my… I hope that someone gets my… Message in a bottle…” – The Police.

The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information; it also prohibits individuals and companies from obtaining consumer information using false representations. However, critics often cite that the GLBA requirements are not specific enough and are subject to interpretation.

Question: How do financial institutions know when they are complying with the GLBA’s Privacy Rule?
Answer: The Safe Harbor Rule… for now.

The Safe Harbor Rule.

The Privacy Rule does not require any specific format or uniform wording to be included in an institution’s privacy notice. Instead, the GLBA allows an institution to draft its own privacy notice as long as it is clear and conspicuous and furnishes the required information. However, Congress recognizes that this broad discretion may result in some confusion. Therefore, Congress attached an appendix to the Privacy Rule that provided model language called “Sample Clauses.” With some specific industry exceptions, if a financial institution incorporated the Sample Clauses within its privacy notice, the financial institution has complied with the GLBA requirements as a matter of law.

Despite Congress’ efforts to ensure that privacy notices were clear and conspicuous, consumers and customers still complained about the notices. “Reaction to the first privacy notices delivered in July 2001 was highly negative… the notices received by millions were filled with legalese and confusing messages. Many consumers simply tossed the privacy notices, seeing them as just another bit of junk mail stuffed in with account statements.”

On October 13, 2006, Congress passed the Financial Services Regulatory Relief Act of 2006 (the “Relief Act”). The Relief Act charged eight federal agencies (the “Agencies”) to jointly develop a uniform model privacy notice, which would address concerns expressed by financial institutions and reduce consumer confusion. Specifically, the Relief Act instructed the new model form to:

• Be comprehensible to consumers, with a clear format and design;


• Provide for clear and conspicuous disclosures;


• Enable consumers to easily identify the sharing practices of a financial institution and to compare privacy practices among financial institutions; and


• Be succinct, and use an easily readable format.

Notice of Data Breach.

The FTC acknowledges that “perfect security” is not attainable and that breaches in security and data breaches may occur even when every reasonable precaution is taken. The GLBA does not specifically require institutions to notify their customers of a security breach or data breach. However, the Safeguards Rule does charge institutions with an “affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” In 2005, the FTC and other federal banking regulatory agencies adopted the Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice (the “Guidance”). The Guidance outlines a financial institution’s notice responsibilities when its consumers’ nonpublic personal information network is breached and highlights customer notice as a key feature of an institution’s response program.

Once a financial institution discovers that its network was breached and sensitive customer information has been or will be misused, the institution is required to notify its primary Federal regulator. Second, an institution is required to notify appropriate law enforcement authorities including filing a Suspicious Activity Report (“SAR”), when Federal criminal violations are involved. Next, if the institution determines that misuse of customer information has occurred or is likely, then the institution is required to notify its affected customers as soon as possible. However, an institution may delay customer notice if law enforcement determines that such notification will interfere with a criminal investigation. The customer notice must be clear and conspicuous and should be delivered in a manner designed to ensure that a customer can reasonably be expected to receive it. The customer notification shall include:

• A description of the incident in general terms and the type of customer information that was subject to the unauthorized access or use;


• A description of what the institution has done to protect the customer’s information from further unauthorized access;


• A telephone number customers may call for further information and assistance;


• A reminder that customers need to be vigilant over the next 12 to 24 months and to promptly report incidents of suspected identity theft to the institution.

• A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;


• A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer reports to put the customer’s creditors on notice that the customer may be a victim of fraud;


• A recommendation that the customer periodically obtains credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;


• An explanation of how the customer may obtain a credit report free of charge;


• Information about the availability of the FTC online guidance regarding steps a consumer can take to protect against identity theft.

“The Matrix isn't real.” – Trinity. “I disagree, Trinity. I think that the Matrix can be more real than this world. All I do is pull a plug here, and then...” – Cypher.

Historians, take note. In 2007, the virtual world and real world collided. As Federal District Judge Eduardo C. Robreno stated in the opening paragraph of his opinion, “While the property and the world where it is found is ‘virtual,’ the dispute is real.”

In this case, Marc Bragg (“Bragg”) sued Linden Research, Inc. (“Linden”) for unlawfully seizing his virtual real property and revoking his account. Linden operates a massive multiplayer online role-playing game (“MMORPG”) called Second Life. Second Life is an Internet-based virtual world, where its users, called "Residents", interact with each other through motional avatars. Second Life Residents interact, socialize and even conduct business. An integral part of Second Life's real world business model is the exchange of virtual currency known as the Linden Dollar. Residents purchase Linden Dollars with real U.S. Dollars. As noted in Judge Robreno’s opinion, “Second Life avatars may now buy, own and sell virtual goods ranging ‘from cars to homes to slot machines.’”

However, what makes Second Life unique in the MMORPG world is Linden’s recognition for its users’ property rights. In a press release dated November 14, 2003, Philip Rosedale, the Linden’s CEO touted, “The preservation of users’ property rights is a necessary step toward the emergence of genuinely real online worlds.” Plaintiff Bragg purchased virtual real property, the subject of which formed the basis of the lawsuit. In 2005, Plaintiff Bragg paid Linden to join Second Life and become a Resident. One year later, Bragg purchased several plots of virtual real property in Second Life and began to re-sell such parcels to other Residents for a profit. However, in April 2006, Linden sent Bragg a notice stating that he purchased virtual real property through an exploit and subsequently cancelled his account and confiscated all of Bragg’s virtual property. Bragg brought suit claiming misrepresentation and expropriation of property. Linden moved to dismiss for lack of jurisdiction and moved to compel arbitration.

Judge Robreno held that Linden, a California based company, was subject to jurisdiction in Pennsylvania because the interactive nature of its Internet “game” gave the Court specific jurisdiction by means of its minimum contacts. Second, the Court held that the arbitration clause contained in Second Life’s terms of service constituted an unconscionable contract of adhesion under California law and was therefore unenforceable. Specifically, Judge Robreno objected to the lack of mutuality in the contract, that arbitration must take place in California and that the arbitration must take place before a panel of three arbitrators, which is extraordinarily more expensive than pursuing this matter before the Court.

Although the legal issues addressed by the Pennsylvania Federal District Court may be found in standard contract law, the context in which this dispute arose is not ordinary. This virtual real property is a newly created commodity that may create a whole new set of rules and laws. Linden’s creation of Second Life property rights where real money is exchanged and monetary value is no longer considered “virtual” created real damages and real causes of action. The real question to be asked in this virtual world is not whether Linden will be sued again, but when and for what?

The Fair Information Practice Principles (the “Principles”) were first enumerated by the U.S. Department of Health, Education, and Welfare in 1973. In the 30 years since the principles were formulated, they have become the basis for many privacy laws in the United States, Canada, Europe, and other parts of the world. The Principles are designed to provide a framework for the collection and use of personal information.
The original Principles consisted of the following eight guidelines:

• Openness – Data policies should be open and clear and the entity or person controlling the data should be easily identifiable.


• Collection Limitation - Collection of personal data should be limited and obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.


• Purpose Specification - The purpose for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.


• Use Limitation - Personal data should not be disclosed, made available or otherwise used for purposes other than those specified as described above, except with the consent of the data subject or by the authority of law.


• Data Quality - Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, relevant and kept up-to-date.


• Individual Participation - An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request is denied and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.


• Security Safeguards - Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.


• Accountability - A data controller should be accountable for complying with privacy measures.

The FTC currently articulates five core Principles: notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress. Many of the current federal regulations related to privacy contain these five Principles.