Articles Posted in Litigation

 

Over the past several years, the Federal Trade Commission has emerged as the de facto national regulator of online security and privacy. While banking and health regulators hold sway over their specific industries, the FTC has used its authority, granted under Section 5 of the Federal Trade Commission Act to address unfair or deceptive acts or practices, the FTC has pursued companies that it believes have misleading privacy statements, or fail to secure personal customer information, and brought actions and entered into settlements with a variety of companies, including hotels, data service providers, retailers and others. In most cases, the defendants have settled to avoid expensive and damaging litigation.

One of the few companies that chose not to settle was LabMD. LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. The configuration of the application allowed (unintentionally) sensitive files on her computer to be shared on the LimeWire network and made public. This vulernerability was discovered by an independent security consulting company, Tiversa, whose business model is to search for possible security breaches and offer to fix them for a fee. Tiversa, upon discovering the vulnerability, stole a file containing insurance records for approximately 9,300 patients as evidence of the vulnerability and sought to have LabMD hire them. After LabMD refused to engage Tiversa,  Tiversa reported LabMD’s vulnerability to the FTC. Continue reading

On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in Federal Trade Commission v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the FTC to regulate data security standards. Although the decision dealt most directly with the hospitality industry, it is a wakeup call for every company that is subject to FTC jurisdiction.
Continue reading

Multinational companies often face challenges in enforcing claims against their employees and agents located in foreign jurisdictions. In December 2012, a federal appeals court decision — MacDermid, Inc. v. Deiter, No. 11-5388-cv (2nd Cir. Dec. 26, 2012) — made enforcement a bit easier when a company goes after employees who commit cyber theft beyond U.S. borders.
Continue reading

Published in The Bottom Line, the State Bar of California’s law Practice Management and Technology Section, as well as Hospitality Net, Hotel Online and ehotelier.com.

Download a PDF of the article: Losing the expectation of privacy bit by bit, byte by byte

 
Continue reading

Web analytics concept - Multicolor version

On February 10, 2011, the California Supreme Court held in Pineda v. Williams Sonoma that ZIP codes are considered “personal identification information” under the Song-Beverly Credit Card Act, California Civil Code § 1747 et seq. (the “Act”). As previously discussed in our January and March 2009 client alerts, the Act is intended to protect consumer privacy rights by restricting the type of information retailers can request from consumers in connection with credit card transactions. At the same time, the Act also makes it difficult for retailers to collect information from their customers that could help them offer services and goods on a competitive basis.

Background

The Act provides in part that retailers shall NOT do any of the following:

1. Request or require the cardholder to write any personal identification information on the credit card transaction form as a condition to accepting the credit card as payment in full or in part for goods or services.

2. Request or require the cardholder to provide personal identification information, which company personnel writes or otherwise records on the credit card transaction form as a condition to accepting the credit card as payment.

3. Use a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder in any credit card transaction.

See Cal. Civ. Code § 1747.08(a).

Under the Act, personal identification information is “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Id. at § 1747.08(b).

On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal held that ZIP codes did not fall within the definition of personal identification information.

This ruling allowed retailers to request ZIP code information prior to a credit card transaction provided that such information is not requested in connection with other personal information (i.e., name, phone number, address, etc.), and the customer is not required to give this information in order to consummate the transaction.

The trial court in Pineda applied Party City’s logic, and concluded that a ZIP code, without more, did not constitute personal identification information. The Court of Appeal affirmed the trial court’s decision in all respects, in large part because a ZIP code pertains to a group of individuals, unlike an address or telephone number that is “specific in nature regarding an individual.”

The California Supreme Court, however, rejected this reasoning and relied on the Act’s protective purpose and expansive language by holding that the word “address” should be construed as “encompassing not only a complete address, but also its components.” The court expressed misgivings  about Williams-Sonoma’s “reverse append” practices and the potential for retailers to circumvent the Act by collecting indirectly what they cannot legally collect directly. In reversing Party City, the Supreme Court pointed out that Williams-Sonoma had the following intention by requesting plaintiff’s ZIP code:

“[Williams-Sonoma] subsequently used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff’s name and ZIP code with plaintiff’s previously undisclosed address, giving defendant the information, which [Williams-Sonoma] now maintains in its database. [Williams-Sonoma] uses its database to market products to customers and also sell the information it has compiled to other businesses.”

Although the Supreme Court may have had this particular fact-pattern in mind in overturning Party City, the Court’s language does not appear to be limited to collecting and using ZIP codes to perform such reverse appends. Rather, the decision broadly states that “[i]n light of the statute’s plain language, protective purpose, and legislative history, we conclude that a ZIP code constitutes ‘personal identification information’ as that phrase is used in section 1747.08.”

Penalties for Violation

The penalties for violating the Act can be significant, and can include a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation. The fines can be assessed and collected in a civil action by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred. In addition, more than a dozen national retail chains operating in California have been hit with lawsuits since the Pineda decision, setting off a flurry of litigation with most of the lawsuits being filed in San Francisco or Los Angeles courts.

Future Questions

One potential question that Pineda raises is whether ZIP codes are the end of the line or whether other “non-traditional” forms of personal identification information, such as emails and/or IP addresses could be treated as personal identification information for purposes of the Act. In light of the court’s decision in Pineda, it seems possible that plaintiff and consumer advocacy groups may wish to revisit the Symantec holding (discussed in our March 2009 Client Alert) in order to try to eliminate the “online” vs. “offline” distinction between retailers.

Suggested Actions

JMBM represents many retailers, and we strongly recommend that our clients implement written policies and procedures that comply with the aforementioned requirements of the Act. We would be happy to assist you if you require additional information on these recent developments, the Act or preparing policies and procedures.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.