Friday, November 30, 2007

VA case going to mediation

The case I wrote about here and flagged as interesting and worth watching has gone to mediation (article here). Now, this doesn't mean that the case is necessarily going away (I've been involved in unsuccessful mediations - if the parties are simply too far away, there's very little the mediation can do). However, it does mean that there likely won't be any further developments in the case for the time being. From my perspective as an outside lawyer, that's too bad. As I wrote previously, the case looked interesting and I would have liked to have watch it play out.

Tuesday, November 20, 2007

Cross Border Data Privacy Issues Presented on Both Sides of the Atlantic

In a recent post on the Massachusetts security breach legislation, I explained that the law is applicable to anyone who has control of the personal information of a Massachusetts resident. This would apply to a "person" (used broadly to include individuals and non-individuals) located anywhere, whether within the U.S. or in another jurisdiction. If a security breach occurs that results in the disclosure of the personal information of a Massachusetts resident, the notification and other obligations under the Massachusetts law apply to the offshore company. Similarly, the European Union Privacy Directive 95-46 imposes restrictions on its members with respect to the transfer of personal data of the citizens of EU Member states. See Directive here . Further, each of the member states has enacted privacy legislation following the template provided by the EU Privacy Directive, and in some cases imposing even stricter or more detailed privacy protection requirements that must be adhered to before the data can be transferred out of the EU to another jurisdiction. Essentially, the country into which the data will be transferred must offer "adequate protection." Since the US has not received the "adequate protection" designation from the EU, a US company wishing to effectuate the transfer of personal information from an affiliate or third party service provider located in the EU has several options for meeting the requirements of the EU Privacy Directive and avoiding the fines that can be assessed against violators, including Safe Harbor certification, binding corporate rules, and accepting contractual obligations.

It would appear that the two sides of the Atlantic have yet another difference in their respective approaches to consumer data privacy: the EU countries are focused on preventing data privacy breaches by imposing protective requirements and by limiting cross-border transfer of personal data. On the other hand, the vast majority of US states have faced the inevitability of data security breaches, and have focused on notification requirements and identity theft preventive measures. Meanwhile, reports of data security breaches continue to make headlines on both continents, and there appears to be no end in sight.

Data Exposure Claim Survives Motion to Dismiss

The D.C. District court has issued a noteworthy opinion in the ongoing consolidated litigation related to last year's potential theft of 26.5 million records (article here, case number 1:06-mc-00506). As described in this article, the plaintiffs in the case alleged damages based on "embarrassment, mental distress, emotional trauma and the threat of future identity theft." Some plaintiffs also requested compensation for having to pay for credit monitoring services. As has been noted previously (e.g., here), Plaintiffs alleging those types of damages generally lose. In fact, earlier this year, the D.C. District court dismissed a data exposure case alleging similar damages based on the proposition that "an allegation of increased risk of identity theft due to lost or stolen personal data, without more, is insufficient to demonstrate a cognizable injury." Randolph v. ING, 486 F. Supp. 2d 1, 7 (D.D.C. 2007). Given that history, the court's decision to let the litigation against the department of veteran's affairs seems, at least initially, to be a departure from what had been settled precedent. While it is unclear what effect this decision will have in the future, because of it, the underlying case is definitely worth watching.

Sunday, November 18, 2007

Variation in State Laws: A Problem to be Solved?

Over at the Compliance and Security Connection, there's a post up about potential problems with "The Tangled Web of Data Breach Notification Laws." The post describes the difficulties that had when it experienced a data security breach. According to the post

Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies...The issue is the variation between the different state consumer notification laws.

However, neither the post, nor the article it refers to (link here) explains how the variation in data breach notification laws hurt While the article isn't clear on this point, the fees ended up paying were almost certainly imposed based on's agreements with the credit companies, not on any state data breach notification act. Indeed, many state laws (e.g., Indiana's) are written so that they are enforceable only by an action brought by the state attorney general. Thus, while variation in state laws might be annoying, blaming that variation for fees imposed by credit companies sees a bit unfair.
Similarly, while the post intimated that complying with varying state requirements is more difficult than complying with a single national standard would be, there is no evidence that that is the case. An an analogy, in the area of environmental regulations, California has the authority to enact its own emissions standards, which can be more stringent than those imposed by the EPA. The result, according to automakers, is not a patchwork of different standards - its a single de facto national standard, since a company complying with the more stringent California rules will automatically be in compliance with the less demanding EPA rules (for an article describing some legal consequences of the relationship between California and the EPA, see here). A similar strategy of following the most stringent requirements can be applied to data breach notification laws. For example, by complying with the requirement to notify consumers if there is a breach, a company will automatically comply with a requirement to notify customers if there is a breach combined with a risk of harm.
In general then, I remain unconvinced that variation between state laws presents any real burden. I also think that such variation can be beneficial, as individual states can engage in experimentation to try and appropriately balance the intersts of businesses and consumers. A federal law (such as was called for in the post) might smooth out variation, but it would also cut out the experimentation currently going on between different states - a real drawback that should be considered when evaluating whether such a law should be passed.

Link to the Compliance and Security Connection provided by George Jenkins at I've Been Mugged.

Friday, November 16, 2007

Protecting Against Yesterday's Threats

Over at Bruce Schneier's blog there's a reference to a paper that includes the criticism of security efforts that "Most 'security' efforts are designed to stop yesterday's attacks but fail completely to stop tomorrow's attacks and are of no use in building invulnerable software. These efforts are a distraction from work that does have long-term value." While I understand the frustration the author of the paper must feel from dealing with the aftermath of new attacks which are not prevented by backward looking technology, I think the criticism is misplaced. The systems which are the most vulnerable are not the ones which will be compromised by an innovative new hack - they're the ones that can be compromised using hacks that have been known for years. Case in point: TJX, where the largest data breach in history took place because of TJX's use of Wired Equivalent Privacy which was known to have been compromised years before the breach (article here). If TJX had protected against yesterday's threats, the individuals who hacked it might have moved on to try and find a softer target, rather than trying to develop some innovative new attack technique to get through at TJX.

From a legal perspective, focusing on the threats of the past also makes sense. In many cases, liability will swing on whether some harm was foreseeable or whether an actor exercised reasonable care. In a court case, it's much harder to argue that a risk of a data breach wasn't foreseeable, or your care was reasonable, if you hadn't even protected against yesterday's (i.e., known) threats. This isn't to say that it isn't also important to try and head off threats before they materialize by using good security practices. However, it's important not to let the perfect be the enemy of the good, or to let the value of learning from the past be overlooked.

Thursday, November 8, 2007

Massachusetts Bill Has Universal Applicability

Massachusetts is the latest state to provide its citizens enhanced protection from identity theft. The law, entitled "An Act Relative to Security Freezes and Notification of Data Breaches" (the "Act"), was signed into law on August 2, 2007. the Act It consists of three main weapons: mandatory notification requirements in the event of a data security breach; data disposal requirements; and a "security freeze" procedure. The disposal requirements are effective on February 3, 2008 and the other two were effective October 31, 2007. There is nothing remarkable or new in the Act's requirements, but its expansive coverage sets it apart from the other states' laws. It applies to anyone who holds information relating to Massachusetts residents, and is not limited simply to those who conduct business with Massachusetts residents. This means natural persons, corporations and government agencies all are subject to its requirements, and is not limited to those who do so for business purposes. This could expand the coverage to include not for profit organizations such as PTAs and scout troops which collect personal information of their members, as well as less formal arrangements such as where a child handles financial matters for an aging parent. While the Act is likely to have minimal impact on financial institutions, since federal regulations already impose similar requirements, one wonders what the legislature's intent was in potentially subjecting individuals in a personal or non-commerce relationship to fines and Attorney General enforcement actions. Fortunately, there is no provision for a private right of action, so the Massachusetts court system should not see an increase in inter-family litigation resulting from the Act.

Tuesday, November 6, 2007

Emotional Damages for Data Exposure

About a week ago, a friend of mine (whose name will be withheld unless he or she tells me to reveal it) asked what I thought about the approach to damages taken by the plaintiffs in Pisciotta v. Old National Bancorp (previous blog post about that case is here). In that case, the plaintiffs, in addition to asking for damages to cover credit monitoring costs, also requested compensation for emotional damage caused by elevated risk of identity theft. The problem is that, as in most identity exposure cases, the court dismissed the plaintiffs' cause of action saying that they had suffered no present compensable injury because their identities hadn't actually been stolen. The emotional harm the plaintiffs may have suffered was dismissed as being connected to the potential future harm, rather than to any completed present harm.

My guess is that plaintiffs in the future aren't likely to get much mileage out of emotional harm arguments. Courts have uniformly rejected claims for damages based on exposure of data, and the 7th Circuit in Pisciotta v. Old National Bancorp was simply following the trend. Where plaintiffs may be more successful is cases where they can show that they have suffered some direct out of pocket cost (other than credit monitoring) as a result of a security breach. This includes not only individual consumers who are victims of identity theft, but also other commercial entities, such as banks, who are forced to spend money by the breach itself (e.g., by reissuing credit cards).

Sunday, November 4, 2007

6th Circuit Holds No Right to Privacy in Mug Shot, etc.

In Bailey v. City of Port Huron, the Sixth Circuit held that a person charged with drunk driving does not have a privacy right in her mug shot, name, husband's occupation, or phone number. The U.S. Constitution does not provide a right a privacy for this information.

Dorothy Bailey and her husband, a sheriff's deputy, were involved in a one-car, alcohol-related rollover accident. The police department issued a press release about the incident and provided information to a local television station in response to a Freedom of Information Act (FOIA) request.

After the release of this information, the Baileys faced some harassment, such as being followed by two men in a store that Ms. Bailey recognized as men her husband had investigated. Also, someone deliberately cut their cable line.

Although the court recognized that substantive due process provides some privacy protection, those protections do not apply to one's criminal record. For more on the state of constitutional substantive due process rights, see Daniel O. Conkle's 2006 law review article: Three Theories of Substantive Due Process.

In short, the court concluded: "As a matter of federal constitutional law, a criminal suspect does not have a right to keep her mug shot and the information contained in a police report outside of the public domain - and least of all from legitimate requests for the information from the press."

As we monitor the development of privacy law in civil cases, it remains important to consider how privacy rights are being addressed in criminal matters because they may provide instructive principles or at times require a showing of why civil privacy issues should be distinguished from criminal privacy standards.