Bankrupt Magazine Must Destroy Readers' Personal Information

Posted on August 17, 2010 by Hunton & Williams LLP

As we recently reported, the FTC expressed its opposition to a move by creditors of bankrupt XY Magazine to acquire personal information about the magazine’s subscribers, on the grounds that such a transfer would contravene the magazine’s privacy promises and could violate the Federal Trade Commission Act.  The magazine, which catered to a young gay audience, had a website privacy policy that asserted “[w]e never give your info to anybody” and “our privacy policy is simple: we never share your information with anybody.”  Readers who submitted online profile information were told that their information “will not be published.  We keep it secret.”  The personal information at issue included the names, postal and email addresses, photographs and online profiles of more than 500,000 users.

As reported in BNA’s Privacy Law Watch, as a result of the FTC’s opposition to the transfer of the personal information, the parties entered into a consent order agreeing that the information will be destroyed before the magazine’s assets are sold.  The consent order called for the destruction to be carried out in a manner that will make the information “unreadable, undecipherable, or non-reconstructable through generally available means.”

This incident is a reminder of the legal significance of privacy promises made outside the context of an actual privacy policy.  It also highlights the need to anticipate changes in business circumstances (such as mergers or sales of assets) when making any privacy representations. Inappropriate commitments may prove damaging to the company, its investors and creditors.  Read more about emerging privacy issues in bankruptcy in an article published by GC New York.
Tags: , , , , , ,

FTC's David Vladeck Opposes Bankruptcy Transfer of Personal Information

Posted on July 15, 2010 by Hunton & Williams LLP

David Vladeck, Director of the FTC’s Bureau of Consumer Protection, recently sent a letter to creditors of XY Magazine, warning that the creditors’ acquisition of personal information about the debtor’s subscribers and readers in contravention of the debtor’s privacy promises could violate the Federal Trade Commission Act (“FTC Act”).

Vladeck’s letter explained that, since its inception, the debtor’s website “Sign-up Confirmation Page” told potential members/subscribers: “Please note our amazing privacy policy. We never give your info to anybody.”  Another representation, which appeared on the website and was directed to magazine subscribers, stated: “[O]ur privacy policy is simple: we never share your information with anybody.”  Those submitting online profile information were told that such information “will not be published. [W]e keep it secret.”  The magazine catered to a young gay audience, including individuals whose sexual orientation was a secret.  The creditors have been seeking to acquire the magazine’s subscriber information, among other assets.  Under these circumstances, Vladeck argues, a transfer of the information to the creditors would contradict the privacy statements made to the subscribers, in possible violation of the FTC Act’s prohibition against “unfair or deceptive acts or practices.”

This incident is a reminder of the legal significance of privacy promises made outside the context of an actual privacy policy, and it highlights the need to anticipate changes in business circumstances (such as mergers or sales of assets) when making any privacy representations.  Inappropriate commitments may prove damaging to the company, its investors and creditors.  Read more about emerging privacy issues in bankruptcy in an article published by GC New York by Lisa J. Sotto, Scott H. Bernstein and Boris Segalis.
Tags: , , , , , , ,

Commerce Department Takes Lead in Developing U.S. Internet Privacy Framework

Posted on May 11, 2010 by Hunton & Williams LLP

“The Department of Commerce is back.”  With those words Cameron Kerry, General Counsel of the U.S. Department of Commerce, made it clear the Department intends to take a leading role in shaping domestic privacy policy and representing U.S. privacy interests in international discussions.  The announcement was made at the May 7, 2010, Department of Commerce symposium, “A Dialogue on Privacy and Innovation,” where the mostly business audience welcomed Mr. Kerry’s declaration with great enthusiasm.

In the 1990’s, during the Clinton Administration, the Department of Commerce led U.S. efforts to develop policy related to privacy on the Internet and encouraged the development of online privacy policies and privacy seal programs.  Within the Department, the National Telecommunications and Information Administration (“NTIA”) authored numerous privacy position papers, and the International Trade Commission (“ITA”) negotiated the U.S.-European Union Safe Harbor Framework.  During the Bush Administration and the first year of Obama’s tenure, however, the Department was largely silent on privacy issues. 

Beginning last fall, the Department began holding sessions to investigate the effectiveness of privacy protections in the United States and the impact of privacy regulation on businesses.  The sessions were led by Marc Berejka, Senior Policy Advisor in the Secretary’s Office at the Department of Commerce, and Danny Weitzner, Associate Administrator for the NTIA’s Office of Policy Analysis and Development.  Over the past few months, the Department, in conjunction with NTIA and ITA, formed the Internet Policy Task Force and issued a notice of inquiry to discuss the “nexus between privacy policy and innovation in the Internet economy.” 

Last Friday’s day-long symposium included an introductory discussion on the global Internet economy and privacy that was followed by four panel discussions.  Professor Fred Cate, Senior Policy Advisor with the Centre for Information Policy Leadership and Distinguished Professor of Law at Indiana University Law School, set the stage for the first panel on “Privacy, Innovation and Global Trade.”  The participation of other Obama administration officials indicated that the Department is not alone in these efforts.  White House Deputy Chief Technology Officer Andrew McLaughlin led a panel on “Privacy Frameworks and Innovative Uses of Personal Information,” and Deputy Assistant Secretary of State and U.S. Coordinator for International Communications and Information Policy Phil Verveer spoke on the “Privacy on the Ground” panel.
 
The Department of Commerce will be receiving comments until June 7, 2010, on the notice of inquiry it issued on April 20, 2010.  A draft paper is expected in early October, ahead of the Organization of Economic and Cooperation and Development’s conference on privacy and technology, and the 32nd International Data Protection and Privacy Commissioners Conference, both of which will take place in Jerusalem during the last week of October.
Tags: , , , , , , , , , , , ,

Department of Commerce Announces a Public Meeting on "Information Privacy and Innovation in the Internet Economy"

Posted on April 16, 2010 by Hunton & Williams LLP

The Department of Commerce (“DOC”) will be holding a public meeting on May 7, 2010, in Washington, D.C., to listen to stakeholders’ views on privacy policies in the United States.  This session is part of a broader inquiry by the DOC’s newly created Internet Policy Task Force “whose mission is to identify leading public policy and operational challenges in the Internet environment.”  The DOC’s National Telecommunications and Information Administration and the International Trade Administration will issue a notice of inquiry to look at the nexus between innovation and privacy on the Internet.  The Centre for Information Policy Leadership will be participating in these processes.

Tags: , , , , , , ,

Canadian Privacy Commissioner Investigates Facebook

Posted on February 4, 2010 by Hunton & Williams LLP

Pursuant to a public complaint, on January 27, 2010, the Privacy Commissioner of Canada announced a new investigation into Facebook.  The investigation concerns the social networking site’s introduction of a tool that required its users to review their privacy settings in December 2009.  According to the complaint, Facebook’s new default settings allegedly made some users’ information more accessible than previously had been the case.  Elizabeth Denham, the Assistant Privacy Commissioner, indicated “[s]ome Facebook users are disappointed by certain changes being made to the site – changes that were supposed to strengthen their privacy and the protection of their personal information.”

The new complaint follows the Commissioner’s July 2009 release of findings resulting from an investigation into Facebook’s privacy policies and practices.  The findings highlighted concerns regarding Facebook, including a need for increased transparency and clarity.  The Office of the Privacy Commissioner will continue to follow up with Facebook as the company implements changes to its site.  

For further information, please see the Office of the Privacy Commissioner's News Release.

Tags: , , , , , , , ,

Federal Trade Commission: Is Privacy Moving to a Post-Disclosure Era?

Posted on January 12, 2010 by Hunton & Williams LLP

In a discussion with The New York Times, Federal Trade Commission (“FTC”) Chairman Jon Leibowitz, and chief of the FTC’s Bureau of Consumer Protection, David Vladeck, indicated that Internet publishers and advertisers can expect the FTC to play a more active role in safeguarding consumer privacy.  Chairman Leibowitz highlighted that, in the past, the FTC’s approach to privacy has focused on consumer notice and consent, and whether consumers were harmed.  From the FTC’s perspective, however, the present model is problematic because companies have failed to provide consumers with meaningful notice that would allow them to make effective choices regarding their privacy.  This “advise-and-consent” model is broken, as it “depended on the fiction that people were meaningfully giving consent.”  In reality, few consumers take the time to inform themselves about the notices and choices outlined in privacy policies.

The lack of meaningful consent has raised the possibility that privacy is moving beyond the advise-and-consent model toward a post-disclosure era.  It remains to be seen how the post-disclosure era will evolve and how the new paradigm will replace consumer notice and choice.  The FTC is examining the issue, and aims to publish a report by July 2010.  Although the final content of the report is yet to be determined, Chairman Leibowitz stated, “I have a sense, and it’s still amorphous, that we might head toward opt-in.”

For further information, view The New York Times blog post.
Tags: , , , , ,

Privacy Group Files FTC Complaint Against Facebook

Posted on December 18, 2009 by Hunton & Williams LLP

On December 17, 2009, the Electronic Privacy Information Center (“EPIC”) filed a complaint with the FTC claiming that Facebook is engaging “unfair and deceptive trade practices” by changing its privacy policies.  Notably, the changes allow anyone who browses the Internet to view a Facebook user’s name, profile picture, gender, geographic region and list of friends.  Facebook has stated that it implemented these changes to make it easier to find individual users among the estimated 350 million Facebook users.

EPIC’s complaint, which was signed by nine other privacy organizations, alleges that Facebook’s privacy changes injure users by “invading their privacy; allowing for disclosure and use of information in ways and for purposes other than those consented to or relied upon by such users; causing them to believe falsely that they have full control over the use of their information; and undermining the ability of users to avail themselves of the privacy protections promised by the company.”  EPIC’s complaint further alleges that Facebook’s claim that users “have extensive and precise controls available to choose who sees what among their network and friends, as well as tools that give them the choice to make a limited set of information available to search engines and other outside entities” is deceptive because “Facebook’s changes to users’ privacy settings and associated policies in fact categorize as ‘publicly available information’ users’ names, profile photos, lists of friends, pages they are fans of, gender, geographic regions, and networks to which they belong.”

EPIC is requesting the FTC compel Facebook to “restore its previous privacy settings” and “make its data collection practices clearer and more comprehensible and to give Facebook users meaningful control over personal information provided by Facebook to advertisers and developers.”  In response to EPIC’s complaint, Facebook released a statement that the company had “discussed the privacy program with many regulators, including the FTC, prior to launch and expect to continue to work with them in the future.”
 
Tags: , , , , ,

Class Action Lawsuit Against Heartland Dismissed

Posted on December 14, 2009 by Hunton & Williams LLP

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers.  The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

According to the complaint, in December 2007, a group of hackers now under criminal indictment launched an attack on Heartland’s network, injecting malicious code into Heartland’s computers.  Heartland allegedly discovered this injection of malicious code and took remedial steps that failed to fully eradicate the threat.  Later, in 2008, the hackers used the injected code to steal millions of payment card numbers.  Heartland did not discover the theft until January 2009. 

The plaintiffs argued that Heartland had made various representations to investors that it maintained sufficient security to prevent such hacking.  For example, Heartland’s 2007 Annual Report discussed the company’s network security situation stating that Heartland “place[d] significant emphasis on maintaining a high level of security” and maintained a network configuration that “provides multiple layers of security to isolate our databases from unauthorized access.”

The court disagreed with the plaintiffs’ claim that these statements were untruthful, holding that “there is nothing inconsistent between Defendants’ statements and the fact that Heartland had suffered an … attack.”  The court explained that “[t]he fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security,’” because “[i]t is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome.” 

With respect to a former Heartland IT employee’s statement that Heartland should have taken various additional steps to secure its network following the 2007 attack, the court found that “one former employee’s opinion that Heartland did not do everything it could have done to address the security breach does not render the statement ‘We place significant emphasis on maintaining a high level of security’ false.” 

In the end, the court dismissed the complaint against Heartland with prejudice, finding that, because the company “did not make any statements to the effect that the company’s network was immune from security breaches or that no security breach had ever occurred, …the statements in the 10-K were not false or misleading.”
Tags: , , , , , , ,

Washington Court Rules that IP Addresses Are Not Personally Identifiable Information

Posted on July 10, 2009 by Hunton & Williams LLP

In a closely-watched case, the U.S. District Court for the Western District of Washington recently held that Internet Protocol (“IP”) addresses do not constitute personally identifiable information (“PII”). The plaintiffs in Johnson v. Microsoft Corp. brought a class action suit against Microsoft claiming that the collection of consumer IP addresses during the Windows XP installation process violated the XP End User License Agreement. The Agreement stated that Microsoft would not collect PII without the user’s consent. The plaintiffs referenced Microsoft’s own online glossary to support their claim that IP addresses should be considered PII. The glossary defined “personally identifiable information” as “[a]ny information relating to an identified or identifiable individual. Such information may include…IP address.” In granting summary judgment in favor of Microsoft, U.S. District Court Judge Richard Jones found that “[i]n order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”

The Washington court’s ruling diverges from other recent rulings in the United States and Europe. In 2008, New Jersey’s Supreme Court held that Internet Service Providers (“ISPs”) are forbidden from disclosing subscriber IP addresses without a subpoena. The court held that New Jersey citizens have a “reasonable expectation of privacy” in the “subscriber information they provide to Internet service providers – just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.” State v. Reid, 954 A.2d 503 (N.J. 2008).

Similarly, the European Union’s Article 29 Data Protection Working Party has noted that ISPs should “treat all IP information as personal data” unless the ISPs can “distinguish with absolute certainty that the data correspond to users that cannot be identified.” The Working Party has recommended that search engines delete or anonymize IP addresses once they are no longer needed, and should not retain the data longer than six months.

The issue of whether IP addresses are considered PII as a matter of law has significant implications for companies that collect and use consumer online information. To the extent IP addresses are considered PII, companies that use IP addresses for business purposes would be required to comply with numerous legal requirements with respect to that data.
Tags: , , , , , , ,

Alleged Violations of a Privacy Policy

Posted on February 4, 2009 by Hunton & Williams LLP

A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy.  Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009). 

Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared.  During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number.  Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information.  Pinero alleged that she relied on this statement in her decision to turn over her information.

Pinero contended that sometime in early 2008, defendants disposed of her 2005 federal and state tax returns intact in a public dumpster.  An unrelated individual found Pinero’s tax returns, as well as those of over 100 other people, and alerted a local television news station.

Pinero brought a putative class action, asserting state law claims of fraud, breach of contract, negligence, invasion of privacy, violation of the Louisiana Database Security Breach Notification Law ("LDSBNA") and violation of the Louisiana Unfair Trade Practices Act (LUTPA).  She also alleged that Jackson Hewitt violated 26 U.S.C. § 6103, which restricts certain disclosures of tax returns.  Pinero sought general damages for fear, panic, anxiety, sleeplessness, nightmares, embarrassment, hassle, anger, lost time, loss of consortium, and other emotional and physical distress, as well as special damages for credit monitoring, credit insurance, reimbursement for all out-of-pocket expenses related to notifying creditors of the improper disclosure, and reimbursement for all out-of-pocket expenses related to identity theft.

Jackson Hewitt moved to dismiss all claims.  Highlights of the court’s decision include:

  • Dismissal of the negligence claim because the increased risk of identity theft is too speculative to qualify as actual damage;
  • dismissal of the LDSBNA claim, in part because it only applies to breaches of computerized data;
  • dismissal of the contract claim, in part because expenses related to credit monitoring to guard against future identity theft are not compensable damages;
  • dismissal of the fraud and LUTPA claims (with leave to re-plead) for failure to explain why the representations in the privacy policy were misleading, since the mere breach of those promises does not alone establish that they were fraudulent;
  • dismissal of the claim under 26 U.S.C. § 6103, since that statute only prohibits disclosure of tax returns by persons to whom access to tax returns was granted by the IRS; and
  • denial of the motion to dismiss the invasion of privacy claim, since the alleged facts supported a claim for unreasonable public disclosure of private facts.

In response to this decision, Pinero filed an amended class-action complaint, re-pleading the fraud and LUPTA claims and maintaining the invasion of privacy claim.
Tags: , , , , , , , ,