Wednesday, January 30, 2008

EU Court Protects Privacy Against Record Companies

According to this story from, the top court in the European Union has ruled that telecommunications companies cannot be forced to divulge names and addresses of individuals suspected of distributing copyrighted movies and music over peer to peer networks. The court did state that individual countries could draft national laws to change that, but cautioned that any such laws would have to take into account individual privacy, as both property and privacy are "fundamental rights."

Given that this is taking place in Europe, it won't have much effect on privacy rights in this country, or on the music industry's continuing crusade against peer to peer networks in the U.S. However, it can provide a useful point of comparison between the treatment of privacy in the E.U., and the treatment of privacy in the U.S. For example, in the U.S., privacy protections aren't balanced against the interests of copyright holders - they're used as a pretext to advance the interests of copyright holders when it isn't politically expedient to advance the interests of copyright holders directly (see, e.g., here. As someone who generally supports greater individual privacy, I would like this to change, though I'm not optimistic that, in this country, it ever will.

Sunday, January 27, 2008

Fair and Accurate Credit Transactions Act Rules

At the end of last year, federal banking regulatory agencies issued a number of rules relating to the Fair and Accurate Credit Transactions Act. Among the new rules are red flag rules, which require financial institutions to adopt and periodically update written identity theft protection programs, and rules concerning affiliate marketing, which require that consumers be given the chance to "opt out" before their personal information is given to an affiliate organization for marketing purposes.

Additional detail on the affiliate marketing and red flag rules, as well as other regulatory activity concerning identity theft and personal privacy can be found at this client advisory prepared by my colleague Jane Shea.

Wednesday, January 16, 2008

Emotional Distress Worth $150,000

Via I've Been Mugged, we find that the Fourth Circuit has recently upheld the liability of Equifax for failing to correct errors in a credit report caused by identity theft (the case, Sloane v. Equifax, can be found here). In general, this isn't groundbreaking stuff. After all, the Fair Credit Reporting Act requires credit reporting agencies to remove errors from consumer files, and gives consumers the right to sue for damages if they don't. What is interesting in the Fourth Circuit's decision though, is what they did with Equifax's liability. Originally, the trial court had awarded the plaintiff $106,000 in economic damages for Equifax's violation of the law, and $245,000 for pain and suffering. The Fourth Circuit however, felt that this award was out of line with the damages which had been awarded in other FCRA cases, and libel cases, which are similar in that individuals claim damage based on false statements made about them. The result? The Fourth Circuit decided that the plaintiff was entitled to no more than $150,000 and number which, while clearly based on the facts of the particular case will undoubtedly be used as a guideline in future cases determining damages under the FCRA.

Tuesday, January 15, 2008

What if McCain Defaults?

Yesterday, I wrote about John McCain's presidential campaign pledging its fundraising list as collateral for a loan - the same fundraising list that it said it would never sell to third parties. In that post I asserted that it was unlikely that McCain's campaign could be sued by consumers for violating the privacy policy, and pointed out that it's too early to sue in any case, since McCain's campaign hasn't defaulted on anything, and so the bank hasn't seized the list. However, that rather begs the question: is there anything that would happen if the list was seized? Well, potentially, there is. First, there's the potential breach of contract suit. As I mentioned yesterday, it would be unlikely to succeed, but that doesn't mean that the threat isn't there. There's also potential action by the government (probably more likely if McCain loses the presidential race). Section 5 of the FTC Act (discussed here) prohibits unfair or deceptive trade practices. That prohibition has been interpreted broadly, and has been used to punish companies which sell lists in violation of privacy policies in the past (e.g., this settlement with Gateway Learning, makers of "Hooked on Phonics"). Thus, theoretically, there's a chance that the FTC might take action if the campaign defaulted and the bank seized the list.

Realistically though, the FTC isn't going to go after a political campaign for pledging its fundraising list as collateral, since that would prevent other political campaigns from doing the same thing in the future, and the FTC is controlled by the government (i.e., politicians). Similarly, as I said yesterday, there are real obstacles to a breach of contract action being successfully brought. The bottom line is that the only hit John McCain's campaign is likely to take from pledging its list is political (if that).

Monday, January 14, 2008

Consequences of McCain Pledging his Donor List

According to this story from Politico, John McCain's presidential campaign has pledged its fundraising list as collateral for a loan. The problem is that the campaign's Privacy Policy states that: "John McCain 2008, will not sell your information to third parties or any commercial entities." While the policy does state that "We may share information -- that you voluntarily provide us -- with like-minded organizations committed to the principles or candidates of the Republican party, Republican State Party organizations, local Republican groups and like-minded organizations" it seems unlikely that the commercial banks which made the loan are "like-minded organizations," so there seems to be a conflict between the pledge and the policy.

Unsurprisingly, the comments to the article were mostly focused on the politics of the situation (e.g., "It's just one more example of John McCain's total arrogance.", which was followed by "I think I'll donate more money right now to spite this attack"). However, I'm more interested in the legal implications of the pledge. For example, the Politico article says that McCain's campaign could be sued by its donors for breach of contract. Is that true? Well, I have two words for any donors seeking to sue the campaign: Good Luck. While I'm all for protecting consumer privacy, the courts have previously ruled in In re Northwest Airlines Litigation that Northwest's privacy policy did not create a contract with consumers, and that the data collected by Northwest belonged to Northwest (who could therefore divulge it in violation of the privacy policy) not to consumers (who wanted it maintained in confidence). Whether or not you like the ruling, there's no reason to believe that someone suing McCain's campaign for pledging the list would have better luck. In any case, even if a court were to look more favorably on someone suing the McCain campaign, it's too early to sue the campaign anyway. The list was pledged, but the campaign hasn't defaulted, so the pledge hasn't been redeemed. In other words, there hasn't been a sale, and so, at least for now, there is no breach of the policy for which the McCain campaign could be sued.

Wednesday, January 9, 2008

Lawsuit Against Sears Attacks Customer Information Sharing Practices

A class action lawsuit against Sears Holdings Corp. filed last week illustrates how far the plaintiff's bar is willing to go to extend the frontier of tort liability for the alleged breach of consumer privacy rights. See Computerworld article
The lawsuit challenges the availability of Sears' customers' purchasing history on its website. Besides providing Sears shoppers with the ability to download manuals, find product tips and get home-renovation ideas, it also let customers track purchases and product warranties by entering their name, address and phone number. Since it was not password-protected, anyone could enter any other name and address and obtain others' information as well. The "Find your Products" section of the site has been disabled in the wake of public criticism and the filing of the lawsuit.

While the legal merits of the case may be tenuous, the more important lesson from this case for companies is that it illustrates what NOT to do. First, Sears created a site knowingly giving public access to its customers' personal information. No matter that it did not include account or Social Security numbers -- most laws define "nonpublic personal information" to be a consumer's name and any of that person's address, phone number, Social Security number, account number, etc. So, by definition, this information was considered "private" and should have been password-protected. Secondly, Sears did not inform its customers that they were making this information available on the website. Its privacy policy made no mention of it, and while it may not be required by law, it would have been prudent to give the customers the opportunity to opt out. Finally, Sears learned of the issue weeks before it took any action to rectify the situation. It did not take the feature off the website until after the lawsuit was filed. Even if it was convinced that its behavior did not expose it to legal action, its inaction indicated an insensitivity to public concern for privacy rights. One would hope that given the amount of adverse publicity TJX and others have suffered from their experiences with security breaches, that such insensitivity to consumers' privacy concerns by companies that are the repositories of consumers' personal information would be a faint memory.

At a minimum, the Sears lawsuit should serve as a wake-up call to other companies that a cavalier attitude to consumer privacy will no longer be tolerated by the public.

Tuesday, January 8, 2008

New Information Security Threats

Now, your network connection isn't the only point of attack for malware. According to this article from C|NET malware has been found preinstalled on USB enabled consumer devices, including an Mp3 player, and (something I didn't even know existed) a digital picture frame. This isn't a case like the Sears holding company fiasco (described here), where the company installed tracking software with arguably insufficient notice. Instead, the malware found on the USB devices is something about which consumers are given no warning whatsoever.

So what does all this mean legally? The first thing it means is that law abiding companies should make sure that they have effective programs in place to prevent unauthorized software from being run on their systems, because this new attack vector (which includes picture frames) could lead to security breaches, and their attendant legal consequences. The second thing it means is that we're likely to see a ton of litigation against device distributors. When Sony shipped CDs with malware pre-installed, they were sued, and eventually settled in class action litigation for (among other things) fraud, deceptive trade practices, and trespass to chattels. I envision many similar suits happening in the future, many of which will probably inculde device distributors who didn't know what their manufacturers put on the devices while they were being made. Finally, I have a distant hope that news like this will lead to more people recognizing the dangers of malware and identity theft. A great example of the lack of regard many people have for information security is this post from BoingBoing which describes an individual who sought to prove security concerns were unwarranted by publishing his bank account number (which, predictably, was used to set up an unauthorized direct debit in his name). Maybe the shock of learning that every day objects like a picture frame can be used to steal data will end up making people more aware of the importance of information, and the lengths criminals will go to to steal it.

Thursday, January 3, 2008

2007: Year of Controversy

Was 2007 a good or bad year (in terms of number of breaches and number of records stolen)? As it happens, there's some controversy as to the answer for that question. This article from Information Week says that 2007 was a bad year for privacy, breaking records in terms of both number of incidents and number of records lost. However, when this blogger at Chronicles of Dissent crunched the numbers, (s)he concluded that 2007 was a (relatively) good year in terms of both number of incidents and number of records exposed.

While the fight involves doing things like actually counting numbers of breaches and records (something I don't want to do), I will say that the post from Chronicles of Dissent brings up some good points, something even Information Week concedes. However, there is something I wanted to clarify. Both Information Week and Chronicles of Dissent listed the number of records exposed by the TJX breach at 94 million. That number, while included in court documents filed by the plaintiffs in that case, could very well be wrong. There has been no trial in TJX, and so the plaintiffs' contention that 94 million records (rather than the 46 million records cited by TJX) were exposed has never been tested or validated by a court. Given that, if 2007 is counted with the more conservative (but clearly not overstated) 46 million figure, the number of records lost in 2007 drops by more than half, regardless of who's counting. With that drop, the number of records lost in 2007 appears to be trending down from 2007, meaning that 2007 was (according to that measure) a relatively good year for data privacy.

Tuesday, January 1, 2008

Does it Matter if You Spy on Foreigners?

Over the holidays, I mentioned my post about Congress ignoring individual privacy in an email discussion group and was asked whether the telecoms now requesting amnesty permitted surveillance of domestic-domestic calls. As an initial matter, the answer is yes. Paragraph 158 of the consolidated complaint the telecoms allowed the NSA to build a database which included Americans' domestic calls. Paragraph 176 of the complaint explicitly alleges that "Defendants have knowingly authorized, and continue to knowingly authorize, NSA and affiliated governmental agencies to directly access through the installed devices all domestic, international, and foreign wireline and wireless telephone and electronic communications transmitted through Defendants’ domestic telecommunications infrastructure and facilities for use in the program." Given that the current lawsuits against the telecoms are on a motion to dismiss, the allegations in the complaint have to be taken as true, so (at least at this point) it as to be accepted that the telecoms allowed surveillance of domestic-domestic calls.
However, there's something a bit troubling about the idea that amnesty should be granted if the Americans who were being spied on were communicating with foreign nationals. To my mind, Americans should be able to assume that their communications are not being monitored (without protections required by law such as a court order or a warrant) even if they are talking to someone who is overseas. An incursion on privacy when speaking with someone overseas is simply that: an incursion on privacy. This should not only be a concern based on a general regard for privacy, but also because it damages the United States' standing internationally (see, e.g., the 2007 International Privacy Rankings (discussed here) which placed the United States last among countries in the democratic world). The attitude that we can (and should) nonchalantly subdivide our privacy is one which leads to a country where individual privacy is reduced to slivers so small that the significance of privacy is completely lost.

And on that cheerful note: HAPPY NEW YEAR!!!