Canadian Privacy Commissioner Investigates Facebook

Posted on February 4, 2010 by Hunton & Williams LLP

Pursuant to a public complaint, on January 27, 2010, the Privacy Commissioner of Canada announced a new investigation into Facebook.  The investigation concerns the social networking site’s introduction of a tool that required its users to review their privacy settings in December 2009.  According to the complaint, Facebook’s new default settings allegedly made some users’ information more accessible than previously had been the case.  Elizabeth Denham, the Assistant Privacy Commissioner, indicated “[s]ome Facebook users are disappointed by certain changes being made to the site – changes that were supposed to strengthen their privacy and the protection of their personal information.”

The new complaint follows the Commissioner’s July 2009 release of findings resulting from an investigation into Facebook’s privacy policies and practices.  The findings highlighted concerns regarding Facebook, including a need for increased transparency and clarity.  The Office of the Privacy Commissioner will continue to follow up with Facebook as the company implements changes to its site.  

For further information, please see the Office of the Privacy Commissioner's News Release.

Tags: , , , , , , , , , , , ,

Federal Trade Commission: Is Privacy Moving to a Post-Disclosure Era?

Posted on January 12, 2010 by Hunton & Williams LLP

In a discussion with The New York Times, Federal Trade Commission (“FTC”) Chairman Jon Leibowitz, and chief of the FTC’s Bureau of Consumer Protection, David Vladeck, indicated that Internet publishers and advertisers can expect the FTC to play a more active role in safeguarding consumer privacy.  Chairman Leibowitz highlighted that, in the past, the FTC’s approach to privacy has focused on consumer notice and consent, and whether consumers were harmed.  From the FTC’s perspective, however, the present model is problematic because companies have failed to provide consumers with meaningful notice that would allow them to make effective choices regarding their privacy.  This “advise-and-consent” model is broken, as it “depended on the fiction that people were meaningfully giving consent.”  In reality, few consumers take the time to inform themselves about the notices and choices outlined in privacy policies.

The lack of meaningful consent has raised the possibility that privacy is moving beyond the advise-and-consent model toward a post-disclosure era.  It remains to be seen how the post-disclosure era will evolve and how the new paradigm will replace consumer notice and choice.  The FTC is examining the issue, and aims to publish a report by July 2010.  Although the final content of the report is yet to be determined, Chairman Leibowitz stated, “I have a sense, and it’s still amorphous, that we might head toward opt-in.”

For further information, view The New York Times blog post.
Tags: , , , , , , , , , , , ,

Privacy Group Files FTC Complaint Against Facebook

Posted on December 18, 2009 by Hunton & Williams LLP

On December 17, 2009, the Electronic Privacy Information Center (“EPIC”) filed a complaint with the FTC claiming that Facebook is engaging “unfair and deceptive trade practices” by changing its privacy policies.  Notably, the changes allow anyone who browses the Internet to view a Facebook user’s name, profile picture, gender, geographic region and list of friends.  Facebook has stated that it implemented these changes to make it easier to find individual users among the estimated 350 million Facebook users.

EPIC’s complaint, which was signed by nine other privacy organizations, alleges that Facebook’s privacy changes injure users by “invading their privacy; allowing for disclosure and use of information in ways and for purposes other than those consented to or relied upon by such users; causing them to believe falsely that they have full control over the use of their information; and undermining the ability of users to avail themselves of the privacy protections promised by the company.”  EPIC’s complaint further alleges that Facebook’s claim that users “have extensive and precise controls available to choose who sees what among their network and friends, as well as tools that give them the choice to make a limited set of information available to search engines and other outside entities” is deceptive because “Facebook’s changes to users’ privacy settings and associated policies in fact categorize as ‘publicly available information’ users’ names, profile photos, lists of friends, pages they are fans of, gender, geographic regions, and networks to which they belong.”

EPIC is requesting the FTC compel Facebook to “restore its previous privacy settings” and “make its data collection practices clearer and more comprehensible and to give Facebook users meaningful control over personal information provided by Facebook to advertisers and developers.”  In response to EPIC’s complaint, Facebook released a statement that the company had “discussed the privacy program with many regulators, including the FTC, prior to launch and expect to continue to work with them in the future.”
 
Tags: , , , , , ,

Class Action Lawsuit Against Heartland Dismissed

Posted on December 14, 2009 by Hunton & Williams LLP

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers.  The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

According to the complaint, in December 2007, a group of hackers now under criminal indictment launched an attack on Heartland’s network, injecting malicious code into Heartland’s computers.  Heartland allegedly discovered this injection of malicious code and took remedial steps that failed to fully eradicate the threat.  Later, in 2008, the hackers used the injected code to steal millions of payment card numbers.  Heartland did not discover the theft until January 2009. 

The plaintiffs argued that Heartland had made various representations to investors that it maintained sufficient security to prevent such hacking.  For example, Heartland’s 2007 Annual Report discussed the company’s network security situation stating that Heartland “place[d] significant emphasis on maintaining a high level of security” and maintained a network configuration that “provides multiple layers of security to isolate our databases from unauthorized access.”

The court disagreed with the plaintiffs’ claim that these statements were untruthful, holding that “there is nothing inconsistent between Defendants’ statements and the fact that Heartland had suffered an … attack.”  The court explained that “[t]he fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security,’” because “[i]t is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome.” 

With respect to a former Heartland IT employee’s statement that Heartland should have taken various additional steps to secure its network following the 2007 attack, the court found that “one former employee’s opinion that Heartland did not do everything it could have done to address the security breach does not render the statement ‘We place significant emphasis on maintaining a high level of security’ false.” 

In the end, the court dismissed the complaint against Heartland with prejudice, finding that, because the company “did not make any statements to the effect that the company’s network was immune from security breaches or that no security breach had ever occurred, …the statements in the 10-K were not false or misleading.”
Tags: , , , , , , , , , , , ,

Washington Court Rules that IP Addresses Are Not Personally Identifiable Information

Posted on July 10, 2009 by Hunton & Williams LLP

In a closely-watched case, the U.S. District Court for the Western District of Washington recently held that Internet Protocol (“IP”) addresses do not constitute personally identifiable information (“PII”). The plaintiffs in Johnson v. Microsoft Corp. brought a class action suit against Microsoft claiming that the collection of consumer IP addresses during the Windows XP installation process violated the XP End User License Agreement. The Agreement stated that Microsoft would not collect PII without the user’s consent. The plaintiffs referenced Microsoft’s own online glossary to support their claim that IP addresses should be considered PII. The glossary defined “personally identifiable information” as “[a]ny information relating to an identified or identifiable individual. Such information may include…IP address.” In granting summary judgment in favor of Microsoft, U.S. District Court Judge Richard Jones found that “[i]n order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”

The Washington court’s ruling diverges from other recent rulings in the United States and Europe. In 2008, New Jersey’s Supreme Court held that Internet Service Providers (“ISPs”) are forbidden from disclosing subscriber IP addresses without a subpoena. The court held that New Jersey citizens have a “reasonable expectation of privacy” in the “subscriber information they provide to Internet service providers – just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.” State v. Reid, 954 A.2d 503 (N.J. 2008).

Similarly, the European Union’s Article 29 Data Protection Working Party has noted that ISPs should “treat all IP information as personal data” unless the ISPs can “distinguish with absolute certainty that the data correspond to users that cannot be identified.” The Working Party has recommended that search engines delete or anonymize IP addresses once they are no longer needed, and should not retain the data longer than six months.

The issue of whether IP addresses are considered PII as a matter of law has significant implications for companies that collect and use consumer online information. To the extent IP addresses are considered PII, companies that use IP addresses for business purposes would be required to comply with numerous legal requirements with respect to that data.
Tags: , , , , , , , , ,

Alleged Violations of a Privacy Policy

Posted on February 4, 2009 by Hunton & Williams LLP

A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy.  Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009). 

Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared.  During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number.  Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information.  Pinero alleged that she relied on this statement in her decision to turn over her information.

Pinero contended that sometime in early 2008, defendants disposed of her 2005 federal and state tax returns intact in a public dumpster.  An unrelated individual found Pinero’s tax returns, as well as those of over 100 other people, and alerted a local television news station.

Pinero brought a putative class action, asserting state law claims of fraud, breach of contract, negligence, invasion of privacy, violation of the Louisiana Database Security Breach Notification Law (LDSBNA) and violation of the Louisiana Unfair Trade Practices Act (LUTPA).  She also alleged that Jackson Hewitt violated 26 U.S.C. § 6103, which restricts certain disclosures of tax returns.  Pinero sought general damages for fear, panic, anxiety, sleeplessness, nightmares, embarrassment, hassle, anger, lost time, loss of consortium, and other emotional and physical distress, as well as special damages for credit monitoring, credit insurance, reimbursement for all out-of-pocket expenses related to notifying creditors of the improper disclosure, and reimbursement for all out-of-pocket expenses related to identity theft.

Jackson Hewitt moved to dismiss all claims.  Highlights of the court’s decision include:

  • Dismissal of the negligence claim because the increased risk of identity theft is too speculative to qualify as actual damage;
  • dismissal of the LDSBNA claim, in part because it only applies to breaches of computerized data;
  • dismissal of the contract claim, in part because expenses related to credit monitoring to guard against future identity theft are not compensable damages;
  • dismissal of the fraud and LUTPA claims (with leave to re-plead) for failure to explain why the representations in the privacy policy were misleading, since the mere breach of those promises does not alone establish that they were fraudulent;
  • dismissal of the claim under 26 U.S.C. § 6103, since that statute only prohibits disclosure of tax returns by persons to whom access to tax returns was granted by the IRS; and
  • denial of the motion to dismiss the invasion of privacy claim, since the alleged facts supported a claim for unreasonable public disclosure of private facts.

In response to this decision, Pinero filed an amended class-action complaint, re-pleading the fraud and LUPTA claims and maintaining the invasion of privacy claim.
Tags: , , , , , , , , , , , , , , , ,