Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the TITLE MASTER SLIDE, delete the logo and place this logo on the slide in alignment with.

Similar presentations


Presentation on theme: "©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the TITLE MASTER SLIDE, delete the logo and place this logo on the slide in alignment with."— Presentation transcript:

1 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the TITLE MASTER SLIDE, delete the logo and place this logo on the slide in alignment with 3D icon blocks. Understanding Privacy and Security Litigation Michael P. McCloskey Andrew B. Serwin Partner, Securities Litigation Partner, IP Litigation 402 West Broadway 402 West Broadway Suite 2100Suite 2100 San Diego, CA 92101 Telephone: 619.685.6409Telephone: 619.685.6428 Email: mmccloskey@foley.com Email: aserwin@foley.com

2 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Privacy General Principles: –Notice –Choice –Onward Transfer –Access –Security –Data Integrity –Enforcement

3 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Privacy Ultimately Four Issues: –What information do you collect –What do you do with the information –When can’t you disclose it –When must you disclose it

4 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Federal Privacy Statutes Children’s Online Privacy Protection Act (COPPA); Gramm-Leach-Bliley (financial); Electronic Communications Privacy Act; Health Insurance Portability and Accountability Act (medical); and Others (FCRA, FACTA) Right to Financial Privacy Act

5 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. COPPA (15 U.S.C. § 6501, et seq. 16 C.F.R. § 312 et seq.) Restricts the collection of information from children 12 and under by “operators” of: –commercial websites that are directed to children 12 and under that collect personal information from children; –general websites that knowingly collect personal information from children 12 and under; and –general websites that have a separate children’s area and that collect personal information from children 12 and under. Does not apply to ISPs in most circumstances

6 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. COPPA FTC is very active with COPPA issues –Time out cookies –“Bounce” issues –From v. about –Age Field The FTC just renewed the COPPA rules

7 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.) There are two portions of the ECPA –The Wiretap Act; and –The Stored Communications Act This is a temporal distinction

8 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.) Wiretap Act and Councilman. –Prohibits “interception” of “electronic communications”. "electronic communication" "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photooptical system that affects interstate or foreign commerce," –Does not include electronic storage as does the definition of “wire communications” or the storage definition of the Stored Communications Act.

9 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.) Applies mostly for businesses in the employee context. Two potential exceptions: –protect the provider, another provider, or a user, from fraudulent, unlawful or abusive use of such service; or –a person employed or authorized, or whose facilities are used, to forward such communication to its destination

10 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. State Employee Email Monitoring Laws Connecticut –Requires notice and posting of notice of the employer’s monitoring policies Delaware –Requires that notice be given every day to the employee Certain exceptions apply for investigations Civil penalties are available Fischer v. Mt. Olive Lutheran Church

11 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Federal Disclosure Statutes Communications Assistance for Law Enforcement; and The Patriot Act The DMCA

12 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. The FTC and Privacy FTC has an announced privacy agenda –Stepping up enforcement of Spam laws –Increasing assistance to victims of identity theft –Enforcing company’s privacy promises is also a focal point of the FTC’s agenda –Enforcing federal laws Additional guidance is available via consent orders posted on the FTC website

13 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. The FTC and Privacy Tower Records –Claimed to have reasonable security in shopping cart area –Had a security issue that permitted customer information to be revealed CartManager International –Third Party provider misrepresented BJ’s Electronics –Inadequate data security on wireless networks with credit card information

14 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. The FTC and Privacy Sunbelt Lending Services –Violation of the Safeguard Rule, including for the failure to assess risks and implement safeguards to control these risks, train and oversee employees, and monitor the network for vulnerabilities DSW ChoicePoint CardSystems, Inc –Inadequate data security was an unfair practice

15 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Pretexting Covered by GLB. Also prohibited under a number of state and federal laws.

16 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. What is Pretexting? Obtaining certain forms of information under false pretenses. It can be improper depending upon the type of data, the type of person seeking it, and the purpose of the request.

17 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Situations where pretexting has been used to obtain information –Disability claims (malingering) –Collection cases/background checks –Investigative/celebrity reporting –“Non-compete” investigations –To find witnesses, research alibis –Finance/accounting fraud allegations –Investigating falsification of records –Misappropriation of trade secrets –Misuse/theft of corporate assets –Derivative claims –Competitive intelligence –Litigation related investigations –To detect ongoing violations of law

18 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Why would anyone pretext? –Difficult to discover information by other means –Subpoena/discovery power is unavailable –Legitimate information brokers have “dried up” –Information obtained by pretext is widely available on the internet as “research” for a fee –Disgruntled employees with access can be bribed –Information brokers contend method is not illegal, or an “investigative” or “prosecutorial” exception –Anonymity of source may lend false sense of legitimacy –Avoids having to close investigations for lack of proof –Deception gives criminals edge –Lack of enforcement

19 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Risks of Improper Pretexting Criminal, civil penalties, including aiding and abetting –Hewlett Packard case Potential violations of attorney code of professional responsibility – potential disciplinary consequences –False statement of material fact or law to third person –Conduct involving dishonesty, fraud, deceit or misrepresentation –Failure to supervise –Counseling client to commit a crime or fraud –Misleading unrepresented persons –“Reflects adversely” on lawyer’s “fitness to practice” Civil liability for investigator’s tortious conduct Suppression of evidence, other sanctions Adverse publicity

20 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Pretexting and Investigations The type of information sought can effect your ability to get it. Where the information is coming from matters as well.

21 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. The Law of Pretexting GLB Wire fraud The Federal Trade Commission Act/Telecommunications Act of 1996 The Computer Fraud and Abuse Act State identity theft laws State restrictions on phone records Common law fraud

22 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Pretexting and State Law Many companies are subject to many states’ jurisdiction and consideration of state law is important. By seeking information from providers in many cases the information sought may be subject to state protection It is not always clear what law applies to your investigation.

23 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. California Law California –Recently adopted SB 202. –It applies to telephone records. –Need fraudulent intent for obtaining records.

24 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Most States Have Identity Theft Laws Alaska Arizona Arkansas California Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington Washington D.C. West Virginia Wisconsin Wyoming

25 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. State Public Utility Restrictions on Telephone Records California Public Utilities Code Section 2891. California Code of Civil Procedure Section 1985.3

26 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. What You Can Do to Prevent Problems and Run a Proper Investigation. Find out what state and federal laws are applicable to your company/industry. Check out your investigators. Consider whether it is better to run investigations internally or externally. Consider whether you really need the information you are seeking. Consider including policies regarding information gathering in litigation or pre-litigation matters. Consider inserting contractual language in investigator’s agreements.

27 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. What You Can Do to Prevent Problems and Run a Proper Investigation. Restrict the gathering of certain types of information under false pretenses. Limit the scope of your investigation to the purpose of the investigation. Make sure you have a monitoring policy in place. Consider whether you have authority to gather information from an employees’ computer or network.

28 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. International Issues SOX –Whistleblower issues and foreign data protection regimes Employee issues

29 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. California’s Online Privacy Protection Act (Cal. Bus. & Prof. Code § 22579) Applies if “personal information” is collected through the website A website must then: –Have a privacy policy that discloses the type of information collected; –Describes the process, if any, for consumers to change their information; –Describe the process for consumers to receive notice of material changes to the policy; and –Identify its effective date Format requirements

30 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Notice of Security Breach Laws (Cal. Civ. Code §1798.82) Triggered if there is a breach of a data security; and A consumer’s personal information is implicated Applies even if there is simply a reasonable belief that there was an acquisition of data Law enforcement concerns Direct notice typically required, though substitute notice is permitted in certain instances

31 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Notice of Security Breach Laws Issues to watch out for –What good is encryption? –Electronic v. non-electronic North Carolina’s law applies to non-electronic –Is there a general duty? –Who else must notice be given to? –What form of notice? –Is notice required if there is no likelihood of identity theft?

32 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Notice of Security Breach Issues 33 other states (and the OCC) have enacted laws or rules –Including: Arkansas; Connecticut; Delaware; Florida; Georgia; Illinois; Indiana; Louisiana; Maine; Minnesota; Montana; Nevada; New Jersey; New York; North Carolina; North Dakota; Rhode Island; Tennessee; Texas and Washington Ohio Attorney General action

33 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Restrictions Upon the Collection of SSNs (Cal. Civ Code § 1798.85) Companies cannot: –Post or publicly display SSNs; –Print SSNs on identification cards; –Require people to transmit SSNs over the internet unless it is encrypted or the connection is secure; –Use a SSN as a login unless a password is also required; or –Print it on materials unless legally required

34 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Social Security Number Laws Alabama Arizona Arkansas California Colorado Connecticut Delaware Florida Illinois Indiana Louisiana Maryland Michigan Minnesota Missouri Nevada New Jersey New Mexico North Carolina Oklahoma Oregon Rhode Island South Dakota Tennessee Texas Utah Vermont Virginia Washington Wisconsin

35 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. California’s Data Security Law (AB 1950 Cal. Civ Code § 1798.81.5) Broad law that applies across the board, even to non-electronic data The law is triggered if a business owns unencrypted personal data regarding a California resident Businesses and third-parties who receive data must have “reasonable” security measures and procedures Sliding scale

36 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. California’s Data Destruction Law Consumer records must be destroyed if they contain personal information, when the records are no longer needed This obligation applies whether the record is in electronic form, or not Destruction is accomplished through: –shredding; –erasing, or –otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means

37 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Data Security/Destruction Laws SOX FACT Act Arkansas California Colorado Indiana Minnesota Montana Nevada New Jersey New York North Carolina Rhode Island Tennessee Texas Utah Vermont Washington

38 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Spyware and Phishing 12 states have enacted laws (mostly this year) on spyware or phishing. What is spyware? –“software that gathers information about a computer’s use and transmits that information to someone else, appropriates the computer’s resources, or alters the functions of existing applications on the computer, all without the computer user’s knowledge or consent.” FTC v. Seismic Entertainment Productions, Inc., 2004 WL 2403124.

39 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Spyware and Phishing Spyware and the DMCA Recent issues

40 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Spyware, Phishing and Pharming What is the importance of these issues to companies? –Implicates advertising. –Effects software update features. –Customer losses. –Business losses and network costs. –IP infringement.

41 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Restrictions on Spyware What triggers a spyware law? –Effecting a computer you do not own. –Engaging in some form of deceptive conduct.

42 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Restrictions on Spyware What are examples of deceptive or improper acts. –Gathering certain forms of personally identifiable information. –Changing a homepage setting. –Changing computer settings. –Blocking the installation of software. –Causing the installation of software. –Changing other Internet settings. –Assuming control of a computer. –Setting cookies?

43 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Civil Actions for Spyware In many cases civil actions (apart from statutory violations) face legal hurdles. Kerrins v. Intermix –Disgorgement of profits not permitted as a remedy. –Included California’s Little FTC Act, B&P Section 17200.

44 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Civil Actions for Spyware Restrictions on enforcement. –Some states limit the categories of people that can bring an enforcement action. Directly effected consumer. ISPs. The state. Trademark owner.

45 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Phishing and Pharming Phishing is the use of email or other means to imitate a legitimate company or business in order to obtain passwords or other sensitive information in order to commit theft or fraud. Pharming is the use of an improper website in order to obtain information improperly.

46 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Potential Enforcement for Phishing and Pharming. CFAA. Wire fraud. FTC Act. State FTC Acts. State phishing and identity theft laws. IP lawsuits.

47 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Privacy Litigation Airlines cases. –Dyer v. Northwest Airlines Corporation, et al., 334 F.Supp.2d 1196 (D.N.D. 2004); –In re American Airlines Privacy Litigation, 3:04-MD- 1627-D (N.D.Tex. 2005). Laptop case. –Guin v. Brazos Higher Educ. Service Corp., Inc., 2006 WL 288483 (D.Minn. 2006). No standing/no damages. –Bell v. Acxiom, 2006 WL 2850042 (E.D.Ark. 2006).

48 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Privacy Takeaways Assess what information is being collected Think through the types of data you are collecting Determine what laws apply to your company based upon the information it collects, where it does business and the identity of its customers

49 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Privacy Takeaways Make sure that employees understand that they do not have an expectation of privacy in their use of your e-mail and electronic systems. Consider what security systems you have in place and what securities measures you are requiring third parties to have. Consider restrictions upon the use of removable media. Make sure your privacy policy makes the necessary disclosures.

50 ©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the MASTER SLIDE, delete the logo and place this logo on the slide. Privacy Takeaways Reserve the right to modify your privacy policy Ensure that employees are aware of your policies Assess whether you have a responsibility to report a data security incident Consider what security systems you have in place and what securities measures you are requiring third parties to have Determine if you are sending or receiving data to countries that have higher privacy and security standards


Download ppt "©2006 Foley & Lardner LLP WHEN PRINTING IN BLACK & WHITE: Go to the TITLE MASTER SLIDE, delete the logo and place this logo on the slide in alignment with."

Similar presentations


Ads by Google