Privacy

Subscribe to Privacy via RSS

A data security incident can be daunting for an organization, quickly spurring it into full-blown crisis mode. Once an incident is discovered, IT and security personnel may work around the clock to attempt to identify and fix security vulnerabilities, assess and mitigate any damage from the incident, and report their findings and efforts to senior management. The organization’s attorneys may review the incident from a legal risk perspective and engage experienced outside counsel and forensics firms to better assess how the organization should respond to the incident in light of its legal and contractual obligations. The communications and customer service teams may need to respond to customer inquiries about system performance and strange system behavior, while IT personnel are following emergency protocols to attempt to strengthen system security and investigate the incident. In addition, the communications team may be involved in any required data breach notifications. Finally, senior management will need to analyze technical details and legal advice to make organizational decisions that may significantly affect the organization’s customers, reputation, and bottom line.
Continue Reading Breach Notification: Timing Is Everything

California, which enacted the pioneering security breach notification law in 2002, again has taken the lead in security breach notification legislation. In an effort to protect consumers against unauthorized access to their online accounts, California has extended its security breach notification law to cover individuals’ online account credentials (i.e., a user name or email address, in combination with a password or security question and answer, that would permit access to an online account) in amendments that will take effect on January 1, 2014.1 This article discusses California’s existing security breach notification obligations, as well as the changes provided for in these amendments.
Continue Reading California Extends Security Breach Notification Requirements to Online Account Credentials

In early May, Theodore Moss, the CEO of online background-check provider Crimcheck.com, received a letter from the Federal Trade Commission (FTC) notifying him that “recent test-shopping contacts” had indicated that his company was possibly selling consumer information unlawfully.1 Crimcheck.com provides background-check services to businesses conducting employment screenings for potential job candidates.2 Such companies, often referred to as “data brokers,” collect and compile information on individual consumers, drawing from public sources such as court databases and consumer credit records to piece together profiles of individuals’ financial, retail, recreational, and criminal behaviors.3 But it is precisely that assembling of detailed information on individuals—even information compiled from public sources—that can trigger provisions of the Fair Credit Reporting Act, prompting the FTC to take a closer look at how these companies collect and use consumer information.
Continue Reading Policing Privacy: Undercover FTC Staff “Test-Shop” Data Brokers to Identify FCRA Violators

Telecommunications carriers must take precautions to protect call and location data stored on customers’ devices, according to the Federal Communications Commission (FCC).1 As discussed in a prior WSGR Eye on Privacy article,2 the FCC reacted to the carriers’ use of Carrier IQ to collect customers’ call information, despite its data security vulnerabilities. The FCC sought public comment on whether this type of data collection should fall within the agency’s authority under the Communications Act of 1934, as amended. After reviewing public comments, the FCC issued a Declaratory Ruling concluding that carriers must provide safeguards for certain types of data that carriers cause to be stored on their customers’ devices directly or through their agents. This security requirement applies to data transferred to carriers’ systems as well as data stored on the consumers’ devices.
Continue Reading FCC Actions Clarify That Mobile Data Security Rules Apply to Data on Devices

At a May 9, 2013, hearing, the California Superior Court dismissed the lawsuit that California Attorney General Kamala Harris filed against Delta Airlines in December 2012.1 As reported in the January 2013 issue of Eye on Privacy,2 the state’s lawsuit alleged that the company’s “Fly Delta” mobile application (app) violated the California Online Privacy Protection Act (CalOPPA) by failing to provide required privacy disclosures.3 The AG sought enforcement of CalOPPA through California’s Unfair Competition Law (California UCL).4 According to the AG, Delta violated CalOPPA by “fail[ing] to conspicuously post a privacy policy in its Fly Delta app” despite the AG’s earlier written notice of non-compliance, and because the Fly Delta app failed to comply with the privacy policy posted on Delta’s website.5 The court dismissed the action based on its conclusion that the state law claim was preempted by the Federal Airline Deregulation Act of 1978 (ADA).6
Continue Reading Delta Wins Dismissal of California AG Mobile App Privacy Action

One of the most common and effective defenses raised by privacy class action defendants has been lack of standing. Federal courts have jurisdiction over cases only when the plaintiff has standing to sue. Therefore, courts will dismiss a case when the plaintiff does not meet the requirements for standing. For standing to exist, the plaintiffs’ injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”1 In other words, the plaintiff must have suffered some actual harm, or face an imminent risk of suffering a concrete injury. Frequently, class action plaintiffs have been unable to establish standing based on alleged injuries from the unauthorized exposure of personal information. The recent U.S. Supreme Court case of Clapper v. Amnesty International USA2 may have strengthened the standing shield for defendants even more.
Continue Reading Clapper v. Amnesty International USA: The U.S. Supreme Court Strengthens Defendants’ Shield Against Privacy Class Actions