Privacy & Information Security Law Blog

On September 2, 2010, police in New Zealand issued a statement to confirm that there was no evidence Google committed a criminal offense in relation to the data it collected from unsecured WiFi networks during the Street View photography capture exercise.  The case has now been referred back to the New Zealand Privacy Commissioner.  A spokesperson from the New Zealand police force took the opportunity to underline the need for Internet users to make sure that security measures are properly implemented when using WiFi connections in order to prevent their information from being improperly accessed.

On August 18, 2010, the Connecticut Insurance Department (the “Department”) issued Bulletin IC-25, which requires entities subject to its jurisdiction to notify the Department in writing of any “information security incident” within five calendar days after an incident is identified.  In addition to providing detailed procedures and information to be included in the notification, the Bulletin states that the Department “will want to review, in draft form, any communications proposed to be made” to affected individuals.  The Bulletin further indicates that, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.”

On August 18, 2010, a complaint was filed in the U.S. District Court for the Central District of California, alleging that Specific Media, Inc. violated the Computer Fraud and Abuse Act, as well as state privacy and computer security laws, by failing to provide adequate notice regarding its online tracking practices.  The suit, brought by six web users, seeks class action status and over $5 million in damages, and cites Specific Media’s use of Flash cookies to re-create deleted browser cookies as one of the offending practices.

On August 10, 2010, Illinois Governor Pat Quinn signed the Employee Credit Privacy Act, which prohibits most Illinois employers from inquiring about an applicant’s or employee’s credit history or using an individual’s credit history as a basis for an employment decision.  The definition of “employer” under the Act exempts banks, insurance companies, law enforcement agencies, debt collectors and state and local government agencies that require the use of credit history.

As we recently reported, the FTC expressed its opposition to a move by creditors of bankrupt XY Magazine to acquire personal information about the magazine’s subscribers, on the grounds that such a transfer would contravene the magazine’s privacy promises and could violate the Federal Trade Commission Act.  The magazine, which catered to a young gay audience, had a website privacy policy that asserted   “[w]e never give your info to anybody” and “our privacy policy is simple: we never share your information with anybody.”  Readers who submitted online profile information were told that their information “will not be published.  We keep it secret.”  The personal information at issue included the names, postal and email addresses, photographs and online profiles of more than 500,000 users.

BBC News is reporting that privacy was a major topic at this year’s Hackers on Planet Earth (“HOPE”) conference that was held in New York in July.  Participants spoke to the BBC about privacy vulnerabilities that they have discovered on various Internet sites.  For example, one participant discussed how GPS data embedded in digital photos users post online, combined with other information available in the photos and on the Internet, may reveal the exact locations where the users work, live and travel, as well as users’ real-time locations.  Participants explained that their ...

Richard Thomas (RT): Lisa, congratulations on the publication of the new treatise.  I’m sure the Privacy team has been waiting for its release.  Could you give us some background on what prompted you and the team to write the Privacy and Data Security Law Deskbook?

Lisa Sotto (LS): Thanks, Richard.  Privacy and information security are topics that have received significant attention during the last few years.  Organizations that manage personal information are under the microscope and are struggling to keep up with the many new and evolving legal requirements around the world.  In addition, there is a real uptick in enforcement actions for privacy and data security incidents.  As the former Information Commissioner of the UK, I’m sure you would agree that privacy is an issue on which nearly every global company must focus.  In 2009 alone, companies spent an average of $6.6 million to rebuild their brand image and retain customers after being involved in some type of data breach the previous year.

On July 27, 2010, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), issued a press release stating that it had recently levied €194,000 in administrative fines in two cases against companies accused of violating a ban on cold calling.  The cases involved consumer complaints implicating the companies in several illegal acts.  The companies claimed they had obtained prior consent from the consumers they contacted.  The BNetzA, which is the regulatory office for electricity, gas, telecommunications, post and railway markets in Germany, rejected the companies’ argument on the grounds that the “consent” was based on the consumers’ implicit acceptance of the terms of use associated with certain Internet games.  The terms of use included a provision regarding a participant’s consent to telemarketing by partners, sponsors and other companies.  The BNetzA stated that, because these terms of use did not satisfy the legal requirements for consent, the company had not obtained valid consent to call the consumers.

As reported in BNA’s Privacy Law Watch on July 29, 2010, three bills were introduced by House Republicans to repeal Section 929I of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”).  Section 929I of the Dodd-Frank Act has been a source of controversy because it gives the SEC significant latitude to sidestep FOIA requests by providing that the SEC "shall not be compelled to disclose" certain information it obtains pursuant to the '34 Act when conducting surveillance, risk assessments or other regulatory and oversight activities.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

On July 28, 2010, the Israeli Supervisor of Banks, Rony Hizkiyahu, issued a letter to the CEOs of all local banks expressing concern over the banks' and their employees' use of online social networks, including both proprietary Web 2.0 tools and networking sites such as Facebook, Twitter, LinkedIn, MySpace and YouTube, all of which are explicitly referred to in the letter.  The Supervisor of Banks, Israel’s banking regulator, requires banks to take steps to ensure data protection and information security, including ...