Monday, October 20, 2014

Moving to WordPress

I am very pleased to announce that The Privacy and IP Law Blog is in the process of moving to WordPress, and to a dedicated domain – PrivacyandIPLawBlog.com!  The blog will operate on both the Blogspot.com location and on the new location for a few months while all the kinks are worked out.  Ultimately, the RSS Feed and subscriber links will also move to WordPress.

Why the switch?
Well, for the past year or so, my traditional way of blogging (writing the material offline, double-checking all of the hyperlinks before publication, then posting in draft form, etc.) has been disrupted by some updates within MS Word that appear to now make it impossible to publish offline to a Blogger.com blog.

Specifically, I can no longer write the posts in Word and update them to the blog for further editing and customization, which has required online access more consistently in order to publish (not always easy when traveling!).  I’ve attempted to find fixes or patches to this issue – but it appears even though this concern is somewhat common, there is no fix.  The discussion boards are rich with complaints about this recent modification to the interactivity between Blogger (owned by Google) and MS Word (owned by Microsoft) – with no remedies.
As a result, my ability to post in a streamlined, time-efficient way has been disrupted.

Hence, fewer posts.
So, after researching for the past few months to find an alternative, I’ve decided to register my own domain and host it through WordPress.  We’ll give this a try for a while and see how it goes.  With any luck, I’ll be able to write more frequently, without as many administrative headaches, and keep this a robust site.

Thanks for coming along for the ride!

LinkedIn Sued for Providing “Trusted References” to Paying Subscribers

On October 9, 2014, a class action complaint was filed in the U.S. District Court for the Northern District of California alleging that LinkedIn violated the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., (“FRCA”) by offering to subscribers reports containing “Trusted References” without complying with the FCRA’s requirements to keep the data safe from disclosure. Sweet v. LinkedIn Corp., Civ. A. No. 5:14-cv-04531 (N.D. Cal. filed Oct. 9, 2014) (available at Law360 - subscription required).

Specifically, the complaint alleges that LinkedIn: 1) failed to comply with the certification and disclosure requirements of the FRCA for credit reporting agencies who furnish consumer reports for employment purposes; 2) failed to maintain reasonable procedures to limit the furnishing of consumer reports for the purposes enumerated in the FRCA and to assure the maximum possible accuracy of these reports; and 3) failed to provide the notices required by the FRCA to users of the consumer reports.  Id. at 2.  Plaintiffs seek both damages for past violations and injunctive relief to prevent the continued misuse of these reports in violation of the FRCA.  Id. 

These “reference reports” compile information about “people in your network who can provide reliable feedback about a job candidate or business prospect” – including a list of others in your network who worked at the same company as the job candidate during the same time period.  Id. at 7 (citing LinkedIn’s Premium Help Center); see also Trusted References for Job Candidates (last updated 4/21/14); Reference Search (last updated 11/27/13).  In addition, these reference reports encourage the potential employer to contact these references either through a formal Introduction or through inMail – both of which are communication methods available to LinkedIn members.  Compl. at 7.

Notably, LinkedIn users are not notified when a potential employer requests one of these reference reports about them.  Id. at 8.  As a result, the complaint concludes:  “any potential employer can anonymously dig into the employment history of any LinkedIn member, and make hiring and firing decisions based upon the information they gather, without the knowledge of the member, and without any safeguards in place as to the accuracy of the information that the potential employer has obtained.”  Id.
In essence, the complaint alleges that LinkedIn has “created a marketplace in consumer employment information, where it sells employment information, that may or may not be accurate, and that it has obtained in part from unwitting members, and without complying with the FRCA.”  Id. at 9.  In all, the complaint alleges five counts of FRCA violations, seeks damages and injunctive relief, and seeks a jury trial.

Next Steps
LinkedIn has the option of answering the complaint or making any one of a number of 12(b) motions to challenge the sufficiency of the complaint.  It may take some time before this issue is ripe for decision (any decision) by the court.

Tuesday, September 2, 2014

Is Your Company Subject to Laws Regulating Safe Destruction of Documents?

Many companies have document retention policies – in other words, policies determining how long they will keep certain kinds of documentation.  These policies also frequently cover when documents may be destroyed in the normal course of business.  (Assuming, of course, that no litigation is pending and that there is no other reason why the company would be legally obligated to keep these documents.)  It’s almost a business necessity these days given the cost of document storage.

It is also a fairly safe bet that by now, most people have heard about the potential risks associated with data breaches, or at the very least, have heard about the Target data breach during the holiday season in 2013.

However, did you know that many states regulate how personal information can be destroyed?  Or, more specifically, how documents and records that contain such personal information may be discarded?  To date, at least thirty-one states have enacted laws like this (the link attached omits the Delaware law that was just enacted).
Leaving aside the specific rules and regulations relating to the protection from disclosure of personal health information (e.g., HIPAA, HITECH, etc.), many states mandate that business records containing personal information of a consumer (including, perhaps, the business’s employees, too) may only be discarded by “shredding, erasing or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means . . . . ”  E.g., 6 Del. Code §§ 50c-101 through 50c-104 (enacted July 1, 2014 – effective as of Jan. 1, 2015); N.J. Stat. Ann. 56:8-162 (same methods, adding “or nonreconstructable through generally available means” at the end); see also N.J. Stat. Ann. 56:8-161 (for applicable definitions).
In Illinois, the law is even more specific.  It requires documents containing personal information to be “redacted, burned, pulverized or shredded” if the documents exist in paper form, or “destroyed or erased” if they are electronic files.  815 ILCS 530/40.  In both cases, these methods are recommended to ensure that the “personal information [contained in the document] cannot practicably be read or reconstructed.”  Id.
In general, this means that you cannot simply throw out old records that contain personal information of a customer (or, perhaps, even an employee) by throwing it in the trash, or setting it aside for recycling.  They have to be handled appropriately.  (Note that some commercial vendors offering shredding services can ensure that the shredded material is handled in an environmental-friendly manner.)
Many of these statutes also carry penalties – whether in the form of government fines or in civil remedies to the consumers whose personal data have been compromised.  For instance, Illinois’ statute provides that any violation of the document destruction law automatically constitutes a violation of the state’s unfair business practices act (which has its own penalties) and is subject to civil penalties, payable to the state Attorney General, of at least $100 per individual whose information has been improperly destroyed, but not more than $50,000 total.  Id. 
In Delaware, not only can the Attorney General seek penalties from any “commercial entity that does not take all reasonable steps in disposing of a customer’s personal identifying information,” but any consumer who has suffered actual damages as a result of this violation of this statute can sue the responsible commercial entity.  6 Del. Code § 50c-103(b).  In these cases, courts are permitted to treble (triple) the damages awarded.  Id.

So, here’s the lesson – if your company (whether a for-profit or not-for-profit entity) creates, maintains or discards personal information owned by a customer, check to see whether one of these state records destruction laws applies to your operations.  If your company operates in more than one state, dig deeper and check all relevant states.  Find out if there are “records destruction laws” that apply to your company and read them carefully.  Some have different requirements, and some are more stringent than others. 
Complying with these laws may also have the added benefit of helping your company avoid, or at least minimize, the significant losses associated with an unfettered data breach.

Monday, July 14, 2014

ABA IPL Publishes White Paper on Online Piracy and Counterfeiting


On July 7, 2014, the ABA Intellectual Property Law (IPL) Section released its comprehensive white paper, outlining the results of its research and analysis of continuing concerns about online pirates and counterfeiters based overseas.  The white paper coins a term to describe the malfeasors:  Predatory Foreign Websites.
More information about the white paper, including a summary of the conclusions and recommendations it makes, can be found in its Press Release and in the copy of the White Paper available on the ABA IPL Section’s site.

Wednesday, April 16, 2014

Recent Presentations and Articles

More articles on IP and privacy issues will be posted here soon, but in the meantime, here are several recent articles that have published in other media:
  • Participated in a panel discussion on Shutting Down Rogue Websites:  International and Domestic Solutions, before the ABA Section of Intellectual Property Law’s 29th Annual IP Conference, on April 3, 2014.  An article previewing the session was published by our law student reporter, Anna Oakes, who live-tweeted during the presentation (in accordance with the law student reporter program).  I re-tweeted relevant posts about our session that she and other law student reporters tweeted (see @PaTmLawyer).   An article and presentation slides were published in connection with this session, but they are only available to meeting attendees.
  • Interviewed by Smart Business Magazine, How to protect data security and customers’ trust, published on March 31, 2014.  This article briefly describes ways that companies can begin to plan ahead for potential breaches so that their response(s) to breaches can be carefully considered and (hopefully) well-executed.
In addition, on May 9, I will be presenting during the DRI’s Intellectual Property Litigation Seminar on the ability to recover attorney fees in copyright and trademark cases.  The article and presentation slides developed on this topic will be available to meeting attendees.

Following these presentations, more blog posts will begin to appear again.  What can I say?  It’s been a busy spring.
Stay tuned – more soon.

Tuesday, January 28, 2014

Today is Data Privacy Day!

January 28 is “Data Privacy Day.”  In honor of the day, below are several links relating to efforts to protect the privacy of personal data and some tools for small businesses:

Council of Europe’s explanation of the purpose Data Privacy Day (now in its eighth year): http://www.coe.int/t/dghl/standardsetting/dataprotection/data_protection_day_en.asp
* Note that the Council of Europe published its “Handbook on European data protection law” (prepared in cooperation with the European Union Agency for Fundamental Rights (FRA) and the European Court of Human Rights) on January 28, which is available here: http://www.coe.int/t/dghl/standardsetting/DataProtection/TPD_documents/Handbook.pdf.    
European Union’s Data Protection Day initiatives, including promoting the reform of EU Data Protection laws:  http://europa.eu/rapid/press-release_MEMO-14-60_en.htm (see embedded video).

Federal Communications Commission’s Cyber Security Planner:  http://transition.fcc.gov/cyber/cyberplanner.pdf, which the FCC describes as a “a tool for small businesses to create customized cyber security planning guides.”  (More information about this tool can be found here:  http://www.fcc.gov/cyberforsmallbiz).
Federal Trade Commission’s Data Security (for Businesses):  http://business.ftc.gov/privacy-and-security/data-security.  

Microsoft’s Data Privacy Day resources:  http://www.microsoft.com/en-us/twc/privacy/data-privacy-day.aspx

Stay Safe Online’s Data Privacy Day Site:  http://www.staysafeonline.org/data-privacy-day/landing/ -- and specifically their library: http://www.staysafeonline.org/data-privacy-day/privacy-library.
Online Trust Alliance’s Data Privacy Day Site:  http://otalliance.org/news/DataPrivacyDay.html -- includes for example, its 2014 Data Protection & Breach Readiness Guide.

Monday, January 27, 2014

New “Personal Information Privacy” Legislation Introduced

On January 8, 2014, Sen. Patrick Leahy (D-Vt) re-introduced a personal privacy protection bill intended “to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.”  Personal Data Privacy and Security Act of 2014, S. 1897 at preamble (introduced Jan. 8, 2014).  Sen. Leahy introduced prior versions of this bill in 2005, and in each of the four Congresses since.  Press Release, “Leahy Reintroduces Data Privacy Legislation,” Jan. 8, 2014.

Sen. Leahy’s published summary of the bill provides a detailed list of the key components.  There are two principal titles in this bill:  1) Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security; and 2) Privacy and Security of Personally Identifiable Information (“PII”).  (There is a third title, relating to compliance with a statutory Pay-As-You-Go Act, but the text is a short paragraph and just relates to budget compliance.)  See Leahy’s Section-By-Section Analysis of the Bill.
Punishment Enhancement:  The Bill adds expands the definition of racketeering activity (18 U.S.C. § 1961(1)) to include violations of the Computer Fraud and Abuse Act (“CFAA,” 18 U.S.C. § 1030); criminalizes the knowing concealment of a security breach that requires notice (and provides for either a fine or imprisonment up to 5 years); enhances the penalties for fraud and related activities under the CFAA; provides the same penalties for conspiracy to commit computer hacking as for completed, substantive offenses; clarifies the criminal forfeiture requirements; creates a civil forfeiture provision (providing that gross, not net, proceeds may be forfeited under this section); precludes civil actions based on violations of acceptable use policies or terms of service agreements; and adds a new criminal provision making it a felony to damage a computer that manages critical infrastructure systems, such as national security, transportation or public health and safety (imprisonment would be between 3 and 20 years if convicted).

Privacy and Security of PII.  It covers detailed requirements for data privacy and security programs; enforcement for data breach events (although this specifically denies a private right of action); security breach notifications (to whom made, method, contents, timing, notice to law enforcement, permitting delays by Secret Service or FBI where notice could impede active criminal investigations or national security); and preemption of state law on breach notification; and enforcement (it appears to provide only agency enforcement (by federal or state agencies) or criminal enforcement, and not a private right of action). 
Bill Status

This version of the legislation comes close on the heels of the data breach at Target retail stores, involving the “debit and credit card data of as many as 40 million customers during the Christmas holidays.”  Id. (quoting Sen. Leahy).  Once introduced, the bill was read twice, and referred to the Senate Judiciary Committee.  Bill Status (last visited on Jan. 26, 2014); see also Detailed Summary.  Sen. Leahy also announced that the bill “will be” the focus of a hearing before the Senate Judiciary Committee this year.  Id.  (Sen. Leahy is chair of the Senate Judiciary Committee.)
Senate Hearing:  February 4, 2014 (To be Webcast in Real Time)

A related hearing has already been announced, to be held before the full Judiciary Committee.  The hearing notice does not specifically mention this bill, but is undoubtedly related:  "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime," scheduled for February 4, 2014, at 10:15 am in the Dirksen Senate Office Building, Room 226.  
Two panels of testifying witnesses are currently scheduled.  Panel 1 includes John J. Mulligan, EVP and CFO of Target Corporation and Delara Derakhshani, Policy Counsel of Consumers Union (publishers of Consumer Reports).  Panel 2 includes The Honorable Edith Ramirez, Chairwoman of the Federal Trade Commission, William Noonan, Deputy Special Agent in Charge at the Criminal Investigative Division of the U.S. Secret Service and Mythili Raman, Acting Assistant Attorney General in the Criminal Division at the U.S. Department of Justice.

If prior hearings are any indication, then it is likely this hearing, which has been announced as a webcast, will also broadcast live.  Visit the Judiciary Committee’s Hearing Notice to access the video feed.
Other Data Privacy Legislation

Sen. Leahy’s Bill is not the only one proposed in the current Congress relating to data security breaches and notifications to customers.  Indeed, there are 303 other bills pending with the words “privacy” in their title.  See Search Results. One particularly noteworthy is the Data Security Act of 2014 (S. 1927), introduced by Sen. Thomas Carper (D-DE) and Sen. Blunt (R-MO) on January 15, 2014.  It seems to also be responsive to the Target data breach notification problem in December 2013.  It was read twice and referred to the Senate Committee on Banking, Housing, and Urban Affairs.