Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

Summaries of each of the cases reviewed in the Report are as follows:

1.       Employee Discussion on Facebook Can Be Protected Concerted Activity

• The terminated employed had posted on Facebook about a self-proclaimed demotion that she thought was unfair and unwarranted based upon her performance. Several co-workers with whom she was also “friends” posted their support on Facebook, including comments discussing the employer’s dishonest and unfair practices. The employee was terminated 5 days after making her post for violating the employer’s rule prohibiting “[m]aking disparaging comments about the company through any media, including online blogs, other electronic media or through the media.” The NLRB found that this policy was unlawful on the basis that it would “reasonably be construed to restrict Section 7 activity, such as statements that the Employer is, for example, not treating employees fairly or paying them sufficiently.” Further, the NLRB found that the employee’s initial post and the subsequent discussion that it generated fell within the definition of “concerted activity” since the discussion clearly centered on working conditions.

2.   Broad Policies That Do Not Provide Examples or Clear Definitions Are Often  Found Invalid by the NLRB

• An employer implemented a social media policy “restricting the use of the employer’s confidential and/or proprietary information provided that, in external social networking situations, employees should generally avoid identifying themselves as the employer’s employees, unless there was a legitimate business need to do so or when discuss terms and conditions of employment in an appropriate manner.” The policy did not define what “appropriate” or “inappropriate” meant under the policy and therefore employees could “reasonably interpret the rule to prohibit protected activity, including criticism of employer’s labor policies, treatment of employees and terms and conditions of employment."

• A provision requiring “that social networking site communications be made in in an honest, professional, and appropriate manner, without defamatory or inflammatory comments regarding the employer and its subsidiaries, and their shareholders, officers, employees, customers, suppliers, contractors, and patients.” Without defining broad terms like “professional” and “appropriate” the provision could be construed to prohibit communications protected by NLRA.

3.       Policies that Subjectively Infringe on NLRA Section 7 Rights Are Invalid

• ·An employer discharged an employee for violation of a company policy that stated that “insubordination or other disrespectful conduct” and “inappropriate conversation” would be subject to disciplinary action. The NLRB found that this policy “would reasonably be construed by employees to preclude Section 7 activity.”

• An employer’s social media policy “prohibits employees from using social media to engage in unprofessional communication that could negatively impact the employer’s reputation or interfere with the employer’s mission or unprofessional/inappropriate communication regarding members of the employer’s community.” Although the rule contained some clear examples of unprotected conduct (e.g. revealing trade secrets), it also contained examples that could reasonably be read to include protected conduct and, therefore, could “be construed to chill employees in the exercise of their Section 7 rights."

4. Social Media Policies Inhibiting Free Communication Between Employees and Between Employees and Third Parties Are Generally Invalid

The Report discussed the following overbroad provisions from a single social media policy:

• A provision that prohibited employees from “disclosing or communicating information of a confidential, sensitive, or non-public information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the law department” is unlawful because employees have a right to communicate such information to third parties.

• A provision preventing use of the company’s name or service marks outside of the course of business without prior approval of the law department is unlawful because employees have a right to use their employer’s name or logo in conjunction with protected concerted activity, such as to communicate with fellow employees or the public about a labor dispute. 

• A provision prohibiting employees from publishing “any representation about the company without prior approval by senior management and the law department” is unlawful because employees have a Section 7 right to make representations about their employer that are “part of and related to an ongoing labor dispute.” 

• A provision providing “that employees needed approval to identify themselves as the employer’s employees and that those employees who had identified themselves as such on social media sites must expressly state that their comments are their personal opinions and do not necessarily reflect the employer’s opinions” is unlawful because the provision stifled employees’ ability to locate other employees, thus, inhibiting their ability to organize, a protected right under Section 7.

• A provision “requiring employees to first discuss with their supervisor or manager any work-related concerns, and it provided that failure to comply could result in corrective action, up to and including termination” is unlawful because it inhibits the ability for employees to organize to discuss working conditions.

5.       Social Media Policies that Are Adequately Tailored to Uphold Workplace Confidentiality and Discrimination Rules are Lawful

• The policy originally prohibited discriminatory, defamatory, or harassing posts about specific employees, the work environment or work-related issues on social media sites. Broad terms like “defamatory” especially when applied to work-related issues could be construed to apply to protected activity. The amended policy prohibited “the use of social media to post or display comments about coworkers or supervisors or the employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the employer’s workplace policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status, or characteristic.“ The amended policy, on the other hand, could not reasonably be construed to apply to protected activity as it provides a “list of plainly egregious conduct.”

• The employer’s social media policy provided that “the employer could request employees to confine their social networking to matters unrelated to the company if necessary to ensure compliance with securities regulations and other laws. [Further,] [i]t prohibited employees from using or disclosing confidential and/or proprietary information, including personal health information about customers or patients, and it also prohibited employees from discussing in any form of social media “embargoed information,” such as launch and release dates and pending reorganizations.” In context, the prohibition applied only to communications that could impact security regulations or disclose proprietary information and, as such, was narrowly tailored and withstood scrutiny.

The Report also provides updated guidance regarding the scope of “concerted activity” under Section 7:

1.   Facebook Posts Can Only Be Considered Concerted Activity Where There Is Active Participation from Facebook “Friend” Co-Workers In the Discussion

• The terminated employee (a truck driver) posted to Facebook criticizing the way that the business was run, including, that the company was ‘running off all the good drivers’. No other employees joined the discussion and the employee’s comments did not attempt to induce a group action. The NLRB further noted that there was no “unlawful surveillance” since the employee had invited his supervisor to be his “friend” on Facebook.

• The terminated employee posted criticism of a supervisor on Facebook, including use of the phrase “setting it off”. The employer deemed the phrase to be threatening and inappropriate. The post was not concerted activity, because although the posts addressed terms and conditions of employment he did not intend to initiate or induce coworkers to engage in group action and no “friends” that were co-workers responded to his post. 

2.   Social Media Postings That Are a Direct Result of Concerted Activity Are Protected

•  The terminated employee, an individual to whom other employees confided in about on the job issues, posted about those shared concerns over the terms and conditions of employment. Co-worker responses to her posts contained suggestions for action by the group to change those conditions. Her termination was found to be unlawful because it was directly related to her “involvement in her co-workers’ work-related problems, including her discussions with fellow employees about the terms and conditions of employment.”

• The terminated employee made various online (e.g. on local newspaper message boards) and Facebook posts about the employer’s poor management style, which allegedly included bullying, harassment and abuse of employees that had been ongoing for at least 3 years. Several co-workers posted messages of support on the terminated employee’s Facebook Page, e.g. “Thank you for speaking for us who do not dare.” Since the posts were part of an ongoing labor dispute related to treatment of employees, and the statements were a “logical outgrowth of other employees’ concerns or were made with or on the authority of other employees”, it was clear that they contained unfair labor practice charges, which are protected by Section 7. The NLRB further found that the comments were not unprotected disparagement or defamation.

3. Comments to Facebook Postings Have Equal Protection and Privilege As Original Postings

• The terminated employee posted his frustration on Facebook that another individual was promoted over him and that the promotions were not aligned with the performance. Responses to his post included suggestions that all the good employees should quit.  These posts demonstrated “shared concerns about the terms and conditions of employment” and were therefore “concerted activity for mutual aid and protection” and protected activity under Section 7.

• The terminated employee posted on a co-worker’s Facebook wall about his supervisor’s bad attitude and poor management style, and the co-worker agreed responding that she wished she could work elsewhere.  The employees had previously complained about the supervisor to a higher up. Protest of supervisory action is protected under Section 7 and NLRB found that the discussion constituted “concerted activity for mutual aid and protection.” The NLRB further found that the comments were not unprotected disparagement or defamation.

As we have previously noted in prior posts about the NLRB’s social media enforcement actions, employers should carefully review and adjust their social media policies and practices in light of the NLRB’s guidance and enforcement. Social media policies must be narrowly tailored so as not to infringe upon employees’ Section 7 rights.

FTC Allegations

According to the FTC, ScanScout is an advertising network that places video ads on websites for advertisers. ScanScout engages in behavioral advertising – it collects information about consumers’ online activities and then serves video ads targeted to their interests.

The FTC alleged that ScanScout deceptively claimed that consumers could opt out of receiving targeted ads by changing their computer’s Web browser settings to block cookies. Specifically, ScanScout's privacy policy stated that:

General user data, such as your computer’s Internet Protocol (IP) address, operating system and browser type, pages you visited, and the date and time of your visit, is automatically collected through the use of “cookies”. Cookies are small files that are stored on your computer by a website to give you a unique identification. Cookies also keep track of services you have used, record registration information regarding your login name and password, record your preferences and keep you logged into the Site. You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies. Since each web browser is different, we recommend that you please look through your browser “Help” file to learn the correct way to modify your cookies set-up. . . We may use automatically collected information and cookies information for a number of purposes, including but not limited to. . . provide custom, personalized content, and information; monitor the effectiveness of our marketing campaigns. . . (emphasis added)

According to the FTC, however, ScanScout actually used Flash cookies that users could not block by adjusting their Web browser settings. The FTC alleged that ScanScout's representations that consumers could prevent ScanScout from collecting data about their online activities by changing their browser settings were false or misleading and constituted deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.

Settlement

The settlement imposes a number of requirements on ScanScout. Specifically, the settlement:

• Prohibits the company from misrepresenting (1) the extent to which it collects, uses or discloses data about users or their online activities, (2) the extent to which users may exercise control over the collection, use or disclosure of data collected from or about them, their computers or devices or their online activities.

• Requires the company to take a number of steps to improve the transparency of, and users’ ability to control, its collection of user data for online behavioral advertising, including by implementing a mechanism that allows users to prevent ScanScout from: (1) collecting information that can be associated with users or contains a unique identifier, (2) redirecting users' browsers to third parties that collect data, absent a user's affirmative action, and (3) associating any previously collected data with them. Users' preferences must remain in effect for a minimum of five years.

• Requires the company to disclose: (1) that it collects information about users’ activities on certain websites to deliver targeted ads, (2) that, when users opt out, the company will not collect this information to deliver such ads, (3) users’ current preference, and (4) any circumstances that, if initiated by the user, would disable the mechanism or require the user to implement the mechanism again to maintain the preference (i.e., if a user switches browsers or devices, or deletes cookies, the user will have to opt out again).

• Requires the company, within or immediately adjacent to any behaviorally targeted display advertisement that the company serves, to include a hyperlink that takes users directly to the required choice mechanism.

• Because technical limitations currently prevent ScanScout from embedding a hyperlink in all of its video ads, the order requires the company to undertake reasonable efforts to develop and implement a hyperlink in its video ads and to report regularly to the FTC on its progress.

The settlement also requires ScanScout to retain documents relating to its compliance with the consent order and to disseminate the order to all current and future principals, officers, directors, managers, employees, agents, and representatives having supervisory responsibilities relating to the subject matter of the order. As typical for FTC enforcement actions, the order will remain in force for 20 years.

Our Take

The FTC is proving to be an increasingly nimble privacy enforcer, with ever shorter news story-to-enforcement action cycles. This approach is consistent with the FTC's stated commitment to take enforcement actions in the areas where the agency believes there is significant non-compliance.

The Guidelines follow the traditional notice sections of most web policies, including information collected by the developer and by advertisers, how the information is used and whether it is shared.  The Guidelines also suggest language for certain disclosures that are unique to the mobile world, such as whether precise location data is collected. However, the Guidelines do not take a position on certain core privacy issue (e.g. there is no position taken that all applications must offer certain opt-out choices or must obtain consent for certain practices); rather, the Guidelines are limited to optional language if certain practices are applicable.

The Guidelines do provide sample language that is consumer friendly and they likely cover the necessary topics for most applications.  As such, they may be a useful starting point, but they are just that – a starting point.  There is sample language but the specifics must be filled in by the developer and, most importantly, the disclosures must be accurate for the specific application.  There is no “one size fits all” template in the privacy world.  Thus, the MMA itself strongly suggests that developers consult with privacy counsel or privacy professional to assist in developing a final privacy policy for a specific application. 

The Guidelines are also fairly long and thus the question remains: how do developers provide this key notice to consumers in a prominent and consumer-friendly fashion on the small screen of a mobile device?  That is an issue that will need to be more fully worked out as technology and privacy practices develop in the mobile world. 

For more information on the Guidelines, visit www.mmaglobal.com.
 

In the case, Civ. (Tel Aviv) 1963-05-11 Malka v. Ava Financial, defendants moved for summary judgment against the plaintiff, user of their foreign exchange trading platform, on the basis of an English forum selection clause in a clickwrap contract. Plaintiff sued defendants for conflicts of interest and multiple violations of Israel’s financial trading regulations. Defendants, most of whom are Israeli residents, argued that the plaintiff entered into a contract with a British Virgin Islands company choosing English law and venue for any future litigation.

Plaintiff argued that the forum selection clause was “hidden” in an online contract whose terms he never read. In addition, he argued that such choice constitutes an “unfair term” in a contract of adhesion under the Standard Form Contract Act, 1982. Israeli Courts have broad powers to uphold, strike out, or amend unfair clauses in standard contracts (“blue pencil rule”). The Standard Form Contract Act enumerates a list of contractual provisions which are presumptively unfair, including unreasonable or unilateral forum selection (but not choice of law).

The court rejected the defendants’ reliance on the forum selection clause, effectively establishing Israeli jurisdiction over the case. An important factual holding is that plaintiff did not personally set up his online account on the defendants’ platform, but rather had it set up by an agent of the defendants. Consequently, plaintiff’s assertion of lack of knowledge of or consent to the forum selection clause held sway.

Regardless of the fact-specific holding, certain statements of the court are extremely important for non-Israeli companies entering into clickwrap or browsewrap agreements with Israeli customers. The court (Judge Ruth Ronen) stated that while "non est factum" arguments with respect to signed agreements must be interpreted restrictively, a party relying on a contract must produce a signed document evidencing the counterparty’s agreement. In an online setting, a party’s intent to enter into a contract can be established by showing that such party was informed of (i.e., read) the terms of the agreement and actively expressed his consent to be bound by them.

The court held that clickwrap agreements better evidence a consumer’s consent than browsewrap agreements. If clicking on a link is required to view the terms of the contract, such link must be featured prominently for consumers to see. (The court even states that in the online environment, viewing additional linked documents is easier than in the offline world).

The court held that a foreign forum selection clause is acceptable only where one of the parties to the agreement is non-Israeli (i.e., a contract between strictly Israeli parties should not point to a foreign forum). In this case, the court held (based on its factual holding above), that the plaintiff was not informed of and did not intend to agree to selection of a foreign forum. The court added that had the plaintiff agreed to such selection, defendants would still need to cross the hurdle of the Standard Contract Act; yet given the English choice of law clause, they would have been able to try to prove that under English law, a mechanism similar to Israel’s Standard Contract Act did not exist. Reading between the lines, it is evident that the court is readier to heed a foreign choice of law clause (the court assumes it would be enforceable in the present case) than a foreign forum selection provision.

This is an interesting case – another in a long line of jurisprudence, in Israel and abroad, discussing the enforceability of clickwrap contracts generally, and foreign choice of law and forum selection clauses in particular.

In December 2009, the Israeli parliament (the 'Knesset') enacted the Biometric Identifiers and Biometric Data Inclusion in Identification Documents and a Database Act (The "Biometric Data Act"). The act is meant to tackle large-scale loss and theft of identification cards and passports, later used by criminals and terrorists.

The Biometric Data Act is far-reaching. Following a two year trial period, every citizen will be compelled to provide two fingerprint samples and a facial photograph, to be digitally stored in a national database and on chips embedded in passports and national IDs (National IDs are mandatory in Israel for citizens over the age of 16). The digital ID will also carry a certified electronic signature to be used as a substitute for regular signatures in execution of transactions.

The biometric database is not made solely to manage the identification of ID and passports applications. It will also serve as a valuable source of information for law enforcement agencies, under the supervision of a new authority that the Ministry of Home Affairs established specifically for that purpose.

The act as a whole and specifically the biometric database, raise significant concerns. Privacy advocates urged the Home Office to reevaluate the potentially grave risks to information security and privacy that the database poses, including the irreversibility of biometric data loss and the public's general mistrust in the government's ability to secure the database. A proposal to transform the database into a blurred set-base that will enhance security and privacy was recently offered by Prof. Adi Shamir, a well-known cryptographer. The Law Information and Technology Authority (ILITA) backed Prof. Shamir's proposition, however the government eventually rejected it.

The new regulations under the biometric data act include a set of procedures for issuing a biometric ID, taking fingerprints and facial images from applicants, encrypting and securing the data and transferring data between authorities.

A governmental order accompanies the regulations and sets specific rules for the two-year trial period. During this period that starts in November 2011, biometric IDs will be issued to Israeli citizens, subject to their written and signed consent. At the end of the trial period, professional auditors will evaluate the extent of the trial's success under a set of predetermined parameters and feedback from applicants. Unless the Ministry of Home Affairs decides otherwise in light of the trials results and public debate, the Biometric Data Act will come into full effect at the end of the trial period, and all citizens will have to provide their biometric data at that time for inclusion in their IDs and passports.

As we have discussed on our blog, the NLRB has been very active since late 2010 in enforcing employees’ rights to discuss working conditions through social media. The Board's numerous enforcement actions have focused on employees’ work-related statements on social media platforms such as Facebook, Twitter and YouTube. The enforcement actions have addressed employees’ social media activities in the context of their rights under Section 7 of the National Labor Relations Act to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.” Employers may not discipline or terminate employees (either unionized or non-unionized) for exercising their Section 7 rights.

The report suggests that the NLRB views as protected a broad scope of social media activity that addresses working conditions. It also suggest that the Board sets a low threshold for finding that such activity is “concerted” – i.e., “undertaken with or on the authority of other employees, and not solely by and on behalf of the employee himself.” While each enforcement action represents a unique set of circumstances, generally, the NRLB has found employees’ social media activity to be protected when the statements expressed employees’ sentiment about working conditions, whether or not the actual postings involved one or more employees. Examples of activities the Board deemed protected include discussions on social media that implicated working conditions and that were initiated by one coworker in an appeal to other coworkers for assistance; postings provoked by a supervisor’s allegedly unlawful activity; and postings that vocalized employees' sentiment about working conditions that the employees expressed in off-line conversations, even where coworkers did not post comments to the initial post by one of the employees.

The report also sets out various employee social media policy provisions that the NLRB found to infringe on employees’ Section 7 rights. According to the report, the NLRB may view as unlawful (often because the Board viewed them as overly broad) social media policies that:

• Prohibit employees from posting pictures of themselves in any media, including the Internet, which depict the company in any way, including posting featuring a company uniform or corporate logo;

• Prohibit employees from making disparaging comments when discussing the company or the employees' superiors, coworkers or competitors;

• Generally prohibit, in the application to social media, offensive conduct and rude or discourteous behavior;

• Prohibit inappropriate discussions about the company, management or coworkers;

• Prohibit any use of social media that may violate, compromise or disrtegard the rights and reasonable expectations as to privacy and confidentiality of any person or entity;

• Prohibit any communications or posts that constitute embarrassment, harassment or defamation of the employer or its employees, officers, board members, representatives or staff members;

• Prohibit statements that lack truthfulness or might damage the reputation or goodwill of the employer, its staff or employees;

• Prohibit employees on their own time from using social media to talk about company business, from posting anything that they would not want their manager or supervisor to see or that would put their job in jeopardy, from disclosing inappropriate or sensitive information about employer, or from posting any pictures or comments involving the company or its employees that could be construed as inappropriate;

• Prohibit employees from using the company name, address or other information on their personal profiles;

• Prohibit employees from revealing personal information regarding coworkers, company clients, partners or customers without their consent; or

• Prohibit the use of employer’s logos and photographs or of the employer’s store, brand or product without written authorization.

As we have previously noted in the context of discussing the NLRB’s social media enforcement actions, the Board’s view of employees’ Section 7 rights in the context of social media requires employers to carefully review and adjust their communications and social media policies and practices. The Board's report further suggests that employers need to tailor their social media policies narrowly to protect company interests without infringing on employees’ rights.

Changing Opinions

This is not the first time the FTC has issued a comprehensive FCRA report. Given the large volume of guidance materials it has amassed over time, the FTC released “Commentary on the FCRA ” in 1990 – a compilation of statements regarding how the FTC would interpret and enforce the FCRA. Much has changed since the FTC issued the 1990 Commentary: the FCRA has been significantly amended, the FTC has issued numerous new interpretive guidance documents, and developments in technology and industry practices have rendered parts of the Commentary obsolete or outdated. As a result, the FTC withdrew the 1990 Commentary when it issued the new staff report. The new staff report provides an overview of the FTC’s role in enforcing and interpreting the FCRA and includes a section-by-section summary of the FTC’s interpretations of the Act. The interpretations in the staff report differ from the 1990 Commentary in five significant areas, described below.

Commercial Transactions. The FCRA applies to written, oral, or other communications of information by consumer reporting agencies (CRAs) that fit the definition of “consumer reports.” To be considered a consumer report, information communicated by a CRA must bear on a consumer’s credit worthiness, standing, or capacity, character, general reputation, personal characteristics, or mode of living. Additionally, the information must be used or expected to be used to establish the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes, employment, or other purposes specifically identified in the FCRA. One point of contention has been whether and how the FCRA applies in the context of an application for business credit as opposed to personal credit. Creditors will often obtain a credit report on the sole proprietor or other principal of a business and use the report to determine whether to extend credit to the business. It was the FTC’s position in the 1990 Commentary that “a report on a consumer for credit or insurance in connection with a business operated by the consumer is not a consumer report.” Courts have held that the purpose of the FCRA “is to protect consumers from inaccurate or arbitrary information in a consumer report which is used as a factor in determining an individual's eligibility for credit, insurance or employment” and the FCRA “does not apply to reports used for business, commercial or professional purposes.” For example, in Wrigley v. Dun & Bradstreet, Inc. a commercial reporting service issued credit reports to subscribers who used the information when deciding whether to extend commercial credit to a construction company. The reports contained the personal financial information of the construction company’s president. The court held that the credit reports were for the extension of commercial credit – even though the reports contained personal credit information – therefore the FCRA did not apply.

The staff report details how the FTC currently interprets the FCRA’s application to commercial transactions. To be sure, “a report that concerns the consumer’s business history (as opposed to personal credit or employment history) that is collected and provided by a commercial reporting service solely for use in business transactions is not a ‘consumer report’” and the report provider is not a CRA. However, “a report from a CRA on the personal credit of a consumer to a business credit grantor is a ‘consumer report’ regardless of the purpose for which the information may in fact be used.” This means that reports to business credit grantors by commercial reporting services that compile data and provide reports only for commercial purposes are not “consumer reports” subject to the FCRA. On the other hand, a report on an individual based on information that was collected for the purpose of reporting on that individual is a consumer report and the FCRA applies, even if the report is furnished in connection with a commercial transaction.

Joint Users. Does an entity become a CRA by virtue of sharing a consumer report with another party? According to the FTC’s prior interpretation, a user could share a consumer report with another user without becoming a CRA under certain circumstances. An agent could share with its principal, an employee with employer, and two users could share a consumer report for the same permissible purpose with the consumer’s consent. In these scenarios, the entity sharing the report and the recipient were deemed “joint users” and the sharing entity escaped CRA status. The FTC has now abandoned the “joint user” terminology, focusing instead on whether an entity meets the statutory definition of a CRA. If a user shares a consumer report “for the purpose of providing consumer reports to third parties,” the user may be deemed a CRA. However, a user who obtains a consumer report and shares it with another simply to effectuate a particular transaction initiated by the consumer "is not providing consumer reports to third parties” and, therefore, is not a CRA.

Departments of Motor Vehicles. The FTC no longer takes the position a DMV is a CRA when it provides motor vehicle reports for insurance underwriting purposes – even if it does so for a fee. Although a DMV or other government agency that supplies public records to third parties might be considered a CRA based on a literal reading of the FCRA, the staff report notes that such an interpretation would “lead to absurd results.” If government sources of public record information were CRAs, “government agencies would be required to suppress accurate public record information more than seven years old” and “those who provide information for use in public records – such as police officers – would be deemed furnishers, subject to a host of responsibilities under the FCRA.”

Identified Information. The FTC generally considers “credit guides” – listings that rate how well consumers pay their bills – to be consumer reports subject to the FCRA. However, the FTC previously did not consider credit guides to be consumer reports if they were coded to prevent the disclosure of a consumer’s identity. The FTC now takes the position that that credit guides (as well as other information) that do not identify consumers by name may constitute consumer reports if such guides can “otherwise reasonably be linked to the consumer.” The FTC voiced its concern that coding (particularly by Social Security number or other sensitive data) could readily lead to the disclosure of a consumer’s identity due to advancements in technology and the increasing availability of consumer data.

New Interpretations

The staff report addresses several issues not covered by the 1990 Commentary in an attempt to provide clarity regarding FCRA provisions that have generated a significant number of questions from the public. Importantly, the staff report delves into detail regarding when it is permissible for CRAs to issue (and users to obtain) consumer reports under the FCRA. One permissible purpose to obtain a consumer report is “in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the … review or collection of an account of the consumer.” The staff report states that the “review” permissible purpose applies only when a creditor has an existing account relationship with a consumer and uses a consumer report solely to decide whether to modify the terms of the account. This means that even if a creditor has a permissible “review” purpose to obtain a consumer report, it may not exploit the report to market other products or services to the consumer. CRAs are also permitted to furnish a consumer report according to the written instructions of the consumer to whom the report relates. The staff report states that written consent only qualifies as an “instruction” if it clearly authorizes the issuance of a consumer report on that consumer. For example, “I authorize you to procure a consumer report on me” is sufficient if it is in writing, but the consumer’s signature on a form stating “I understand that where appropriate, credit bureau reports may be obtained” is not. The FTC highlights a consumer’s electronic signature may be an acceptable method of providing written instructions under FCRA. To be valid under the ESIGN Act, electronic authorization must be in a form that can be retained and retrieved in a perceivable form. The FTC notes “whether an e-mail, a mouse click ‘yes,’ or other electronic means clearly conveys the consumer’s instructions depends on the specific facts.”

The staff report also reflects the statutory modifications made to the FCRA over the years. Recently, the Dodd-Frank Act amended the FCRA to impose new requirements on users of consumer reports. The FCRA requires a person taking adverse action based in whole or in part on a consumer report to provide adverse-action notice to the affected consumer. Under new rules that took effect July 21, 2011, users of credit scores must include those scores (and related information) in adverse-action notices. This requirement also applies to adverse-action decisions not related to credit. Consequently, when a user takes an adverse action based on consumer report information, regardless of the weight the credit score plays in the decision, the user must provide the consumer with a host of new information. Additionally, the FCRA requires creditors to provide risk-based pricing notice to consumers when, based on the report, the creditors grant credit or amend existing credit on terms that are “materially less favorable” than the most favorable terms obtained by a substantial portion of consumers. The Federal Reserve Board and the FTC recently amended their respective adverse action and risk-based pricing rules to reflect the recent FCRA amendments. The new rules raise a host of questions, many of which are addressed in the staff report. As the new rules apply when a credit score is used in the evaluation of a consumer, the staff report squarely addresses what constitutes a credit score and when a credit score is considered “used” under the rules. The staff report clarifies that a score that is not used to predict creditworthiness, such as an insurance score, is not a credit score and need not be disclosed. The staff report also makes clear that “use” occurs at a very low threshold - if a credit score plays any role in a user’s decision regarding a consumer then it must be disclosed.

Future of FCRA Interpretation and Enforcement

The newly created CFPB is now the primary agency responsible for interpreting the FCRA. The CFPB is vested with exclusive rulemaking authority over all federal consumer financial law – this includes the authority to issue rules under existing consumer protection statutes such as the FCRA (with limited exceptions) as well as new rules to prohibit unfair, deceptive or abusive acts or practices. The primary role of the CFPB will be supervision in order to “prevent harm to consumers from unlawful financial practices and ensure that markets for consumer financial products and services are fair, transparent, and competitive.” To accomplish this, CFPB is assembling a team of examiners that will directly observe the business practices of entities subject to CFPB jurisdiction. Examiners will assess institutions’ compliance with the FCRA and other federal consumer protection laws. According to the CFPB website, the agency will require businesses to change their practices to comply with the law and may also “require improved employee training, implementation of better policies and procedures or quality controls, and in more serious cases, monetary compensation to consumers.”

Since the adoption of the FCRA, the FTC has enforced the Act at the federal level by bringing enforcement actions against CRAs, entities that furnish information to CRAs, and users of consumer reports such as creditors and employers. The CFPB and FTC now have joint FCRA enforcement authority over a host of industries. As we noted in a previous post, the FTC is actively addressing FCRA compliance and we expect its efforts to extend beyond traditional CRAs. Earlier this year the FTC found that Social Intelligence Corporation - an Internet and social media background screening service - is a CRA subject to the FCRA. Like the FTC, we expect the CFPB will broadly interpret and actively enforce the FCRA. In so doing, the CFPB may give heavy weight to the FTC’s interpretations of the FCRA, making the staff report invaluable to businesses handling consumer report information. With new FCRA rules in place and an additional agency tasked with FCRA enforcement, businesses are wise to determine whether they are subject to the FCRA and to consider FCRA compliance.

Sorrell v. IMS Health, Inc.

When pharmacies fill prescriptions they collect information such as the doctor prescribing the medication, as well as the medication and dosage prescribed. Under federal law, this data excludes information that could be used to identify individual patients. Pharmacies often sell this PI information to data miners who produce reports on prescriber behavior. Data miners then lease their reports to pharmaceutical companies. Pharmaceutical companies use data miners’ reports to identify specific doctors they believe might be interested in their products. The companies dispatch sales representatives, known as “detailers,” to meet individually with these targeted doctors. Detailers pitch their company’s products, answer questions about existing products, and try to convince the doctors to prescribe their company’s products more frequently. Since advertising is most effective when it is directed at purchasers who are likely to be interested in the advertised product, detailing allows pharmaceutical companies to get more bang for their advertising buck.

Vermont’s Prescription Confidentiality Law. The Vermont legislature enacted the Prescription Confidentiality Law in 2007 in an effort to curtail detailers from convincing doctors to prescribe expensive name-brand drugs rather than low-cost generics. Vermont justified its statute, in part, by claiming it had a strong interest in promoting public health and protecting medical privacy. The statute provided that PI data could not be sold by pharmacies and similar entities, disclosed by those entities for marketing purposes, or used for marketing by pharmaceutical manufacturers absent the prescriber's consent. However, the prohibitions on sale, disclosure, and use were subject to a host of exceptions that permitted entities possessing PI data to sell and use the data for a variety of purposes other than marketing. In addition, the Vermont statute specifically prohibited pharmaceutical manufacturers and marketers from using PI data for marketing or promoting prescription drugs. Interestingly, the statute permitted insurers and benefits managers to use PI data to require or encourage doctors to prescribe generics. Similarly, another Vermont statute permits the state to use PI data in a “counter-detailing” program to target doctors and persuade them to switch to low-cost generics. Vermont itself could thus use PI data to market generic drugs while at the same time restricting pharmaceutical companies and data miners from using PI data for marketing. Three companies that sell the information they gather — IMS Health, SDI and Source Healthcare Analytics — challenged the statute on First Amendment grounds. The drug industry’s trade group, the Pharmaceutical Research and Manufacturers of America, joined the lawsuit.

Commercial Speech and Heightened Scrutiny. Whether speech protected by the First Amendment was involved at all was a contentious issue in Sorrell. Vermont argued that sales, transfer, and use of PI data are conduct, not speech. Public Citizen filed an amicus brief in support of Vermont’s position, arguing that aggregate PI data lacks the expressive element required for strong First Amendment protection. Some view aggregate information akin to an ordinary commodity (one lower court compared it to beef jerky) that the legislature has broad latitude to regulate in its discretion. The Court disagreed, noting “the creation and dissemination of information are speech for First Amendment purposes” and “Vermont’s statute could be compared with a law prohibiting trade magazines from purchasing or using ink.”

Vermont argued in the alternative that if speech was involved, heightened judicial scrutiny was unwarranted because the statute was merely a commercial regulation - restrictions on protected expression are distinct from restrictions on economic activity. Although the First Amendment does not prevent restrictions directed at commerce from imposing incidental burdens on speech, the Court noted that in addition to the burdens it imposed, the statute was aimed at particular speakers and restricted specific content. Such targeted censorship of commercial speech warrants heightened judicial scrutiny, and violates the First Amendment unless it achieves at least a substantial governmental interest.

Vermont attempted to justify the statute in part by claiming that it fulfilled “an important privacy interest in giving prescribers control over the use of their prescription-history information.” “While Vermont’s stated policy goals may be proper,” stated Justice Kennedy for the majority, the Court didn’t buy the argument. The legislative history of the statute demonstrated the Vermont legislature was mainly concerned that detailers were too effective at convincing doctors to prescribe their name-brand products – privacy concerns were a mere side note. Additionally, the statute’s many exceptions permitted those in possession of PI data to distribute it without prescribers’ consent “in almost every instance.” The only restriction on the non-consensual use of PI data was that the information couldn’t be used for marketing by drug companies. “The statute thus is not a genuine attempt to protect prescribers’ privacy,” according to the Court. Vermont’s interest in giving prescribers “a slight degree of control” over the use of their prescription history data did not justify the statute’s restrictions on free speech. “Privacy is a concept too integral to the person and a right too essential to freedom to allow its manipulation to support just those ideas the government prefers,” according to the Court.

Brown v. Entertainment Merchants Association

On October 7, 2005, Governor Schwarzenegger signed into law California Assembly Bill 1179, which prohibited the sale or rental of “violent video games” to minors and required their packaging to be labeled “18.” Representatives from the video game and software industries brought a preenforcement challenge to the statute. The Court held that the statute imposed an unconstitutional content-based restriction on protected speech.

Video Games Entitled to First Amendment Protection. Writing for the majority, Justice Scalia explained that all speech that communicates ideas, including video games, is protected by the First Amendment. The Court emphasized the basic tenet that content-based restrictions on expression – such as the California statute’s violence-based restriction - are presumptively invalid. The rule is subject to a few limited exceptions for historically unprotected speech such as obscenity, incitement, and fighting words. Essentially, California’s statute attempted to categorize violent video games as obscenity beyond reach of the First Amendment’s protection. The statute covered games “in which the range of options available to a player includes killing, maiming, dismembering, or sexually assaulting an image of a human being, if those acts are depicted” in a manner that a reasonable person “would find appeals to a deviant or morbid interest of minors,” that is “patently offensive to prevailing standards in the community as to what is suitable for minors.” According to the Court, California tried to make its content-based restriction look like obscenity regulation by excluding video games with literary, artistic, political, or scientific value from the statute’s coverage (language borrowed from Supreme Court obscenity jurisprudence). However, the Court emphasized that the obscenity exception to the First Amendment only covers depictions of sexual conduct, not “whatever a legislature finds shocking.” Just last term, the Court held in United States v. Stevens that “new categories of unprotected speech may not be added to the list by a legislature that concludes certain speech is too harmful to be tolerated.” The holding in Stevens controlled the case at issue – “violence is not part of the obscenity that the Constitution permits to be regulated.” Thus the Court determined that video games are protected speech under the First Amendment.

Strict Scrutiny Applied. The Court then subjected the statute to strict scrutiny because it imposed a content-based restriction on protected speech. In other words, California had to demonstrate that the Act was justified by a compelling government interest and was narrowly drawn to serve that interest. No doubt there is a legitimate interest in protecting children from harm. California argued that video games present a unique set of problems because they are interactive - players participate in the violent action on screen and determine its outcome. The Court rejected the argument as “all literature is interactive,” referencing Choose-Your-Own-Adventure stories where the reader makes decisions that determine the plot by following instructions about which page to turn to (remember those? I do!).

A belief shared by many – including the California legislature – is that children exposed to violence in video games are more likely to experience feelings of aggression and to exhibit violent antisocial or aggressive behavior. California justified the Act by claiming a “compelling interest in preventing violent, aggressive, and antisocial behavior, and in preventing psychological or neurological harm to minors who play violent video games.” Yet to survive strict scrutiny California was required to specifically identify an actual problem in need of solving and demonstrate that the curtailment of free speech was necessary to the solution. California didn’t meet that standard – it didn’t show a direct causal link between violent video games and harm to children. According to the Court, studies purporting to show a connection between exposure to violent video games and harmful effects on children “do not prove that violent video games cause minors to act aggressively” and “suffer from significant, admitted flaws in methodology.” Even if violent video games produce some effect on children's feelings of aggression, “those effects are both small and indistinguishable” from effects produced by exposure to other media such as violent cartoons. Since “California has (wisely) declined” to restrict other forms of violent speech, the Court considered the Act to be “wildly underinclusive” when judged against its asserted justification. According to the Court, underinclusiveness indicates that the government is disfavoring a particular speaker or viewpoint – in this case, California singled out the purveyors of video games for disfavored treatment without sufficient justification.

The Impact - Regulations for the Future… Or Not

With greater frequency, new technologies and marketing strategies introduce a profit motive into what would otherwise be protected speech. In a number of past opinions, the Court has given the government greater latitude when regulating commercial speech. Yet the majority in Sorrell gave strong First Amendment protections to speech that is commercial in nature. This may be good news for Internet advertising companies despite the growing number of recent proposals for government regulation of behavioral advertising. Using data about a user’s browsing history to deliver targeted advertisements to consumers is quite similar to the practice of “detailing” used by pharmaceutical companies. If the government tries to regulate online tracking, the industry may ask the courts to strike those regulations down using Sorrell as a precedent. Sorrell and Brown indicate that despite an industry’s profit motive, government regulations containing speaker- and content-based restrictions must address genuine, recognizable harms in order to survive heightened judicial scrutiny. However, it’s notoriously difficult to identify and quantify privacy-related harms. After Sorrell, legislatures will need to design privacy regulations more carefully, focusing on restricting industry practices that actually cause cognizable harms to individuals.

Rather than regulate in the face of this First Amendment tightrope, perhaps leaving the industry to self-regulate is preferable, particularly when the harms are nebulous and there are alternative ways to mitigate them. In Sorrell, Vermont contended that its Prescription Confidentiality Law protected doctors from “harassing sales behaviors.” Yet Vermont offered no explanation why remedies other than content-based rules would be inadequate. The Court noted that physicians can, and often do, simply decline to meet with detailers, including detailers who use PI data. Additionally, “Doctors who wish to forgo detailing altogether are free to give ‘No Solicitation’ or ‘No Detailing’ instructions to their office managers or to receptionists at their places of work.”

Justice Breyer dissented in Brown, stating “the First Amendment does not disable government from helping parents make such a choice here - a choice not to have their children buy extremely violent, interactive video games, which they more than reasonably fear pose only the risk of harm to those children.” California State Senator Leland Yee (D-San Francisco), original author of California Assembly Bill 1179, responded to the Court’s decision by stating “It is simply wrong that the video game industry can be allowed to put their profit margins over the rights of parents and the well-being of children.” Again, there are viable alternatives that address the potential harms raised in Brown – perhaps rendering regulation of protected speech unnecessary. As the National Association of Broadcasters noted in its amicus brief, “technology that can limit youth access to violent media has proven to be effective” and “the government should continue its constitutionally appropriate role in developing and promoting technological tools to assist parents in monitoring their children's use of media.” Even absent blocking technologies, the industry’s voluntary rating system informing consumers about the content of video games and responsible parenting can help protect children from violent media. Nothing prohibits parents from telling their kids “no” – they can simply (and have the right to) restrict their children’s access to media they deem inappropriate.

Conclusion

One core principle we can take away from this pair of cases was summed up by Justice Scalia in Brown: “whatever the challenges of applying the Constitution to ever-advancing technology, the basic principles of freedom of speech and the press, like the First Amendment's command, do not vary when a new and different medium for communication appears.” In Sorrell, Vermont asked for an exception to the rule that information is speech, but the Court found no need to consider Vermont’s request. Speaker- and content-based burdens on protected expression are sufficient to justify application of heightened judicial scrutiny, even if the information at issue is “a mere commodity.” Content-based restrictions were also the death of California’s violent video game statute in Brown. Brown evidences the Court’s unwillingness to expand the categories of speech that fall outside of the protections of the First Amendment. The bottom line is that the ambit of protected speech and expression is broad and the exclusions are narrow.

According to Greg Beck, who filed an amicus brief in Sorrell on behalf of Public Citizen, legislators need to be careful about the scope of regulations they enact given the Court’s recent stance on the scope of First Amendment protection. Regulations that are too narrow may unfairly target particular speakers. Regulations that are too broad may not be fully supported by the government’s rationale, thereby burdening more speech than justified. Given the Court’s recent decisions striking down statutes in the face of First Amendment challenges, perhaps regulation should take a back seat to alternative solutions when speech is involved. As Justice Kennedy wrote in Sorrell, “Many are those who must endure speech they do not like, but that is a necessary cost of freedom.”

The right to an access report would apply only to health information that is maintained using an electronic system, as tracking access to paper records is not automated and would be unduly burdensome according to HHS. The proposed regulations would require covered entities to generate, upon request, an access report from access log data, which is collected by electronic record systems each time a user accesses protected health information. Access reports would detail the access by covered entities as well as business associates –entities that create, receive, maintain, or transmit certain health-related information on behalf of covered entities. The proposed rule requires covered entities and business to retain access logs for no less than three years so that an access reports can document access to the individual’s health information for the three years prior to the individual’s request for the report.

Covered entities and business associates are already required to comply with the HIPAA Security Rule, which obligates them to track access to protected health information. As such, HHS believes that the proposed rule will not be unduly burdensome. According to HHS, many electronic systems are already configured to log the activities that the proposed access reports would reference.

Under the proposed rule, access reports would include the date and time of access, and the name of the individual or entity accessing an individual’s health information. Additionally, if available, an access report would include a description of the information that was accessed and of the action taken by the user (e.g., whether they created, modified or deleted the information). Access reports also must include a statement informing individuals of their right to request access reports in their notices of privacy practices. Additionally, while individuals would be entitled to receive their first access report free of charge, the proposed rule would allow covered entities to charge reasonable, cost-based amounts for any subsequent reports requested within a 12-month period.

To minimize the volume of data in an access report, covered entities could give individuals the option to limit the coverage of the report by a specific date, time period, or person. For example, the individual requesting a report could elect to limit an access report to disclose only whether a particular family member accessed the individual’s health records within the last six months. Additionally, HHS is recommending – although not requiring in the proposed rule – that covered entities offer individuals the option to limit access reports to specific organizations. For example, if an individual does not wish to learn whether his or her health records were accessed by business associates, the covered entity would not need to obtain access logs from the relevant business associate to include in the access report the covered entity provides to the individual.

The proposed rule would require covered entities and business associates that implemented electronic record systems after January 1, 2009 to produce access reports beginning January 1, 2013. Entities that have implemented electronic record systems acquired on or before January 1, 2009 would be required to comply with the proposed rule beginning January 1, 2014. HHS has requested comments regarding a variety of issues the proposed rule has raised, and will receive comment submissions until August 1, 2011 (to submit a comment, click HERE ).

InfoLawGroup’s Nicole Friess and Boris Segalis collaborated on this blog post.

WP29 found that:

• With the help of geolocation technologies smart mobile devices can be tracked for purposes ranging from behavioral advertising to monitoring of children

• Because mobile devices are inextricably linked to their users, the travel patterns of the device provide a very intimate insight into the private life of the user, rendering the location data personal; specifically, "the combination of the unique MAC address and the calculated location of a WiFi access point should be treated as personal data."

• One of the main risks of location data processing is that the user is unaware that the device transmits the location data and to whom the information is provided

• There risk that the consent for certain applications to use location data is invalid because the information about the key elements of the processing is incomprehensible to the user, outdated or otherwise inadequate

• Because location data from smart mobile devices reveal intimate details about the private life of their users, the main applicable legitimate ground is prior informed consent

• Consent cannot be obtained through general terms and conditions; rather, consent must be specific for the different purposes that location data is collected, used or otherwise processed (e.g., profiling or behavioral targeting)

• If the purposes of the processing change in a material way, the data controller (i.e., the entity that determines the purposes and means of collecting, using or processing the data) must seek renewed specific consent of the individual

• By default, location services must be switched off

• An opt-out mechanism does not constitute an adequate mechanism to obtain informed user consent

• With respect to employees, employers may only adopt this technology when it is demonstrably necessary for a legitimate business purpose and the same purpose cannot be achieved with less intrusive means

• With respect to children, parents must judge whether the use of location data is justified in specific circumstances

• The consent should be limited in time; users should be asked for consent at least once a year

• Users must be able to withdraw their consent in a very easy way, without any negative consequences for the use of their device

• With regard to the mapping of WiFi access points, companies can have a legitimate interest in the necessary collection and processing of the MAC addresses and calculated locations of WiFi access points for the specific purpose of offering geolocation services; the balance of interests between the rights of the data controller and the rights of the user requires an opportunity for the user to easily and permanently opt out from the database, without providing additional personal data

• Users must be provided with clear, comprehensive and understandable for a broad, non-technical audience notice of the collection, use or other processing of geolocation data; the notice must be permanently and easily accessible; the validity of the user's consent is inextricably linked to the quality of the information about the data collection

• Third parties, such as browsers and social networking sites, have a key role to fulfill when it comes to the visibility and quality of the information about the processing of geolocation data

• Users have the right to access their location data in a human-readable format and to rectify and erase the data; users also have the right to access, rectify and erase profiles compiled based on their geolocation data

• Providers of geolocation applications or services should implement retention policies which ensure that geolocation data or profiles derived from such data are deleted after a justified period of time

• If the developer of the device's operating system or a data controller of the geolocation infrastructure processes a unique number such as a MAC address or a UDID in relation to location data, the unique identification number may only be stored for a maximum period of 24 hours, for operational purposes

InfoLawGroup Says:

While the debate about mobile location data is in its infancy in the U.S. (see our blog post and Fox News interview), Europe has served up guidance that, it is fair to say, brings to life every nightmare of U.S. businesses working and innovating in this industry. It  is important to keep in mind that WP29 recommendations are not the law. As with any WP29 opinion, businesses need to monitor how the DPA will implement the guidance, if at all. I suspect that Apple and Google will be the first to face pressure from European data protection authorities to comply with the guidance. We will monitor how any enforcement action will play out. For now, U.S. business entering mobile location marketplace in Europe should strive to implement the opinion's requirements to the extent the requirements are feasible.

In its counterclaim PMSI concluded that Lee's actions violated the Company’s Computer Usage Policy and that as to the necessary CFAA hook “[t]he Company suffered a loss from this unproductive time that Lee spent on these unauthorized websites” which “[a]s a direct and proximate result of the . . . conduct by Lee . . . suffered financial losses in excess of $5,000, due to her lack of productivity, as work that should have been performed by her had to be given to others and in wages paid to her.”

The Court's Order

In response, Ms. Lee moved to dismiss the counterclaim via a Motion to strike Defendant's Untimely Amended Pleading and Counterclaim or Alternativly [sic] to Dismiss Defendant's Counterclaim. In a workmanlike six-page Order, U.S. District Judge Steven D. Merryday granted Ms. Lee’s motion and dismissed PSMI’s counterclaim with prejudice while reinstating PMSI’s original Answer.

Frankly, had the court held otherwise virtually every employee with computer access around the country – or rather, at least within the Middle District of Florida - would have been subject to a CFAA counterclaim if fired and thereafter attempting to sue in response. Judge Merryday’s Order notes that “[t]he CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to ‘access and control high technology processes vital to our everyday lives....’ * * *  Both the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working.”

From this second paragraph of the Order it was all downhill for PMSI. In discussing PMSI’s attempted damages hook as to Lee’s alleged “lost productivity” due to surfing the Internet the court, and I can’t help but applaud the Judge’s ability to maintain a straight face in his prose, stated “[t]he defendant asserts (dubiously) that during her six months of employment, the plaintiff caused the defendant ‘financial losses in excess of $5,000, due to her lack of productivity . . .’ (Doc. 12) The definition of ‘loss’ contemplates damage to a system or data, rather than a lack of productivity.” It’s one thing to argue zealously on behalf of one’s client; it’s quite another to attempt to stretch a statute, flawed as the CFAA is, to such lengths that an Acme Giant Rubber Band of the type favored by Wiley E. Coyote would snap.

In putting PMSI’s counterclaim to bed, the court further observed that:

“PMSI fails to show that the plaintiff ‘exceeded authorized access’ or obtained information from the computer. ‘Exceeds authorized access’ is defined as ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.' 18 U.S.C. § 1030(e)(6). The counterclaim alleges that the plaintiff visited only personal websites. (Doc. 12, Pages 6 and 7) Because the only information Lee allegedly accessed was on the personal websites, not PMSI’s computer system, Lee never ‘obtained or alter[ed] information in the computer.’ Lee accessed her facebook, personal email, and news websites but did not access any information that she was ‘not entitled so to obtain or alter.’"

Applying the final thrust, Lee’s actions may have violated the company’s usage policies, in the court’s view, but PMSI’s attempted shoehorning of her conduct into the CFAA was a distinct no-go. And in a footnote aside, that fairly screamed READ THE STATUTE AND APPLICABLE CASE LAW NEXT TIME, the court dryly quipped, “18 U.S.C. § 1030(a)(2)(C) also requires that the information be obtained from ‘a protected computer’ which is defined as a computer ‘which is used in or affecting interstate or foreign commerce or communication.’ 18 U.S.C. § 1030(e)(2)(B). The defendant fails to allege that the plaintiff accessed a ‘protected computer.’"

And, with a final light touch, Judge Merryday closed with the backhand that “[e]xtension of a federal criminal statute to employee misconduct in the private sector is a legislative responsibility and not a proper occasion for aggressive statutory interpretation by the judiciary. See, e.g., United States v. Rybicki, 354 F.3d 124, 135 (2d Cir. 2003).”

Bottom-Line

As we all know in litigation, to egregiously mangle a metaphor, sometimes the bear gets you and sometimes you get the bear. Here PMSI was more than "gotten" by the bear, as it were. Thankfully so. Still, it's a lesson as to when aggressive or sloppy representation crosses over into mere aggravation for all concerned, particularly when the often troublesome CFAA is involved. 

Ceridian Allegations

The FTC alleged that the privacy and information security representations Ceridian disseminated thought the company’s website were false and misleading and, therefore, constituted unfair or deceptive acts or practices that violated Section 5(a) of the Federal Trade Commission Act. Specifically, the FTC alleged that Ceridian made the following representations regarding the privacy and confidentiality of the personal information the company collected:

Worry-free Safety & Reliability . . . When managing employee health and payroll data, security is paramount with Ceridian. Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.

With respect to its information security measures, the Ceridian stated:

Confidentiality and Privacy: [Ceridian] shall use the same degree of care as it uses to protect its own confidential information of like nature, but no less than a reasonable degree of care, to maintain in confidence the confidential information of the [customer].

The FTC alleged that these statements were false and misleading because Ceridian:

• Stored personal information in clear, readable text;
• Created unnecessary risks to personal information by storing it indefinitely on its network without a business need;
• Did not adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable attacks, such as “Structured Query Language” (“SQL”) injection attacks;
• Did not implement readily available, free or low-cost defenses to such attacks; and
• Failed to employ reasonable measures to detect and prevent unauthorized access to personal information.

The FTC alleged that hackers exploited these vulnerabilities by launching an SQL injection attack on the company's website and web application. The hackers gained access to Ceridian's network and obtained customers' employee data (including bank account numbers, Social Security numbers, and dates of birth). The breach affected the personal information of at least 27,673 individuals.

Lookout Allegations

The FTC alleged similar privacy and security violations by Lookout.  Specifically, the FTC alleged that Lookout made the following representations regarding the security of employee data the company maintained:

Although the data is entered via the web, your data will be encoded and transmitted over secured lines to Lookout Services server. This FTP interface will protect your data from interception, as well as, keep the data secure from unauthorized access.... Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated
software tools.

The FTC alleged that these representations were false and misleading and violated Section 5(a) of the FTC Act because Lookout:

• Failed to establish or enforce rules sufficient to make user credentials (i.e., user ID and password) hard to guess; for example, the company did not require its customers or employees to use complex passwords to access the product database;
• Failed to require periodic changes of user credentials for customers and employees with access to sensitive personal information;
• Failed to suspend user credentials after a certain number of unsuccessful login attempts;
• Did not adequately assess and address the vulnerability of the company's web application to widely-known security flaws, such as “predictable resource location,” which enables users to easily predict patterns and manipulate the uniform resource locators (“URLs”) to gain access to secure web pages;
• Allowed users to bypass the authentication procedures on Lookout’s website when
  they typed in a specific URL;
• Failed to employ sufficient measures to detect and prevent unauthorized access to
  computer networks, such as by employing an intrusion detection system and
  monitoring system logs; and
• Created an unnecessary risk to personal information by storing passwords used to
  access the product database in clear text.

The FTC alleged that these deficiencies enabled an employee of a Lookout customer to gain
access to the personal information of over 37,000 individuals (including names, addresses, dates of birth and Social Security numbers). The employee obtained a URL for a secure Lookout web page during a webinar for the company's I-9 compliance solution. She subsequently typed that URL into her browser and gained access to employee personal information without having to provide valid user credential. The employee also visited Lookout’s public-facing login web page for the company's product and successfully guessed and entered several different user IDs and passwords, including the user ID “test” and the password “test.” As a result, the employee was able to access the personal information of more than 11,000 individuals. Then, by making minimal and easy-to-guess changes to the URL, the employee gained access to the entire product database, which included the personal information of more than 37,000 individuals. The FTC alleged that because Lookout did not employ an intrusion detection system until October 2009, or adequately monitor system logs until December 2009, it was unknown if other unauthorized persons accessed the personal information in the company's database before that time.

Settlements

The settlement orders bar the misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers (including customers' employees). The FTC also requires the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years. 

The comprehensive security program must contain administrative, technical and physical safeguards appropriate to each company's size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees.

Specifically, the consent orders require each company to:

• Designate an employee or employees to coordinate and be accountable for the information security program;
• Identify material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks;
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
• Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Ceridian, and require service providers by contract to implement and maintain appropriate safeguards; and
• Evaluate and adjust its information security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Lessons Learned

The FTC's enforcement actions against Ceridian and Lookout likely signal a two-fold expansion of the Commission's privacy and data security enforcement activities: to smaller-scale violations and violations affecting employee data. The two actions are not typical for the FTC for several reasons. First, the incidents affected a relatively small number of individuals (with no hard evidence of malicious hacking at Lookout).  In addition, the enforcement actions focused on the personal information of employees rather than consumers. While consumers are the focus of an overwhelming majority of the FTC's privacy and information security enforcement, the FTC has long viewed its Section 5 jurisdiction broadly.  As early as 2000, the FTC took the position that it "has the same jurisdiction in the employment-related data situation as it would generally under Section 5 of the FTC Act … [A]ssuming a case met our existing criteria (unfairness or deception) for a privacy-related enforcement action, we could take action in the employment-related data situation." With Ceridian and Lookout settlements, the FTC seems to want to dispel the notion that it is focused solely on large scale, high profile privacy and information security violations affecting consumers. This is another reason to take a hard look at your company's privacy and information security compliance.

Entities Covered by the Act. The Act defines “covered entities” as any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period and is subject to FTC jurisdiction, as well as telecommunication common carriers and non-profit organizations.

Information Protected Under the Act. The various provisions of the Act address “covered information” which includes personally identifiable information (“PII”), unique identifier information (“UII”), and any information that is collected, used, or maintained in connection with PII or UII that may be used to identify an individual. Some provisions require businesses to comply with specific obligations when dealing with “sensitive” PII, which is defined as PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”

Some information is always considered PII of the individual to whom it pertains, including:

• First name (or initial) and last name;
• Residential address;
• E-mail address if it contains the individual’s name (the draft brackets indicate it is currently undecided whether that means the individual’s full name, legal name, maiden name, nickname, initials, or names embedded with other letters or characters such as Danny123@xyz.com);
• Telephone or mobile device numbers other than those considered work contact numbers;
• Social security numbers and other government-issued identification numbers
• Credit card numbers;
• Unique persistent identifiers (including cookies, user IDs, processor serial numbers, or device serial numbers) if used to identify a specific individual; and
• Biometric data, including fingerprints and retina scans.

If used, transferred, or maintained in connection with one or more pieces of PII listed above, the following information is also considered PII:

• Birth date, birth or adoption certificate number, or place of birth;
• Unique persistent identifiers (not limited to those used to identify a specific individual);
• Precise geographic location; and
• Any other information concerning an individual that may “reasonably be used to identify that individual.”

UII includes unique persistent identifiers other than those qualifying as PII, including “a customer number held in a cookie, user ID, processor serial number, or device serial number.”

Data Collection, Integrity and Retention Constraints. Covered entities may collect only as much covered information about an individual as is reasonably necessary to improve their services through research and development, provide services requested by or consented to by the individual, or to prevent fraud. Covered entities are required to establish procedures to ensure that the PII they maintain is accurate. The Act restricts the retention of covered information to a period only as long as necessary to provide a service or for a reasonable period of time if the service is ongoing.

Right to Notice. Covered entities must provide readily accessible notice regarding the collection and use of covered information as well notify individuals of any changes to the entity’s collection and use practices. The FTC will establish rules requiring a covered entity to provide individuals with a mechanism for opt-in consent for:

• The collection, use, or transfer of an individual’s sensitive PII other than to process transactions or services requested by the individual, for fraud prevention and detection, or to provide for a secure environment;
• The use or transfer of previously collected PII if there is a material change in the entity’s practices requiring notice to the individual; and
• The transfer of PII, UII, and other covered information to third parties for an unauthorized use or public display.

The FTC’s rules will also require covered entities to offer individuals a mechanism for opt-out consent for any unauthorized use of their PII.

Right to Access. Covered entities are required to provide individuals reasonable access to their PII. If an individual terminates a service or relationship with the covered entity or if the entity enters bankruptcy, individuals are given the right to demand that PII be rendered not personally identifiable or if that is not possible, to cease its collection, use, transfer or maintenance.

Constraints on Transfers to and Use by Third Parties. The Act prohibits third parties from unauthorized use of PII for which opt-in consent is required, unless the individual is notified of and consents to the use. A “third party” is a person that is not related to the covered entity by common ownership or control nor contractually required to comply with the covered entity’s privacy policies, privacy controls, and any applicable confidentiality agreement.

A covered entity is required to provide notice to individuals if the entity intends to transfer covered information to third parties. If a third party receives covered information from a covered entity, the third party is treated as a covered entity under the Act unless the FTC decides otherwise. When a transfer occurs, the covered entity and third party must enter into a contract ensuring that "the third party will not combine information that is not personally identifiable ... with other information in order to identify individuals with that information." The concept of transfer is not limited to situations where active steps are undertaken by a covered entity – it includes the collection of the information by a third party through a covered entity’s website, mobile application, or other consumer interface. Transfers to "unreliable third parties" are prohibited.

Unauthorized Use. The term ‘‘unauthorized use’’ means the use of covered information for any purpose not authorized by the individual to whom the information pertains, other than use:

• To process a transaction or service requested by that individual;
• To operate the covered entity that is providing a transaction or service requested by that individual, such as inventory management, accounting, planning, product or service improvement or forecasting;
• To prevent or detect fraud or to provide for a secure environment;
• To investigate a possible crime or that is required by law or legal process;
• To market or advertise to an individual from a covered entity if the personally identifiable information used for such marketing or advertising was collected directly by the covered entity;
• Necessary for the improvement of the transaction or service through research and development; or
• Necessary for internal operations, including collecting customer satisfaction surveys to improve customer service information as well as collection of website visit and click-through rates to improve site navigation.

Enforcement and Penalties. The FTC is granted enforcement authority and state attorneys general are given civil action authority to enforce the Act. The Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. Monetary penalties for violating the Act are stiff - a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance. If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater. However, liability is capped at $2 or $3 million depending on the nature of the violation.

Effect on Other Laws. State laws are preempted by the Act, except those laws dealing with health or financial information or data breach notification.

Safe Harbor Programs. The Act requires the FTC to create requirements for “safe harbor programs.” The programs, administered by non-governmental organizations, will be designed to enable participants to implement the requirements of the Act, implement "comprehensive information privacy programs," and offer consumers a means to opt out if a participant transfers covered information to a third party for an unauthorized use. A covered entity that participates in such a program is exempt from the major provisions of the Act if, according to the FTC’s determination, the program obligates participants to comply with requirements that are substantially the same as, or more protective of privacy than, the provisions of the Act. The programs are to be supervised and enforced (with penalties) by the FTC.

With the exception of the FTC’s enforcement actions cracking down on unfair and deceptive practices, the government has favored industry self-regulation over privacy legislation. Between the new draft of the "Commercial Privacy Bill of Rights Act of 2011," three separate privacy bills pending in the House, and the Obama administration backing a “consumer privacy bill of rights,” it looks like change is in the air (and I’m not just saying that to be clever).

The company displays ads to consumers based on their online activities. Chitika’s privacy policy said that consumers could opt out of having cookies placed on their browsers and receiving targeted ads. According to the FTC, however, Chitika’s opt-out lasted only 10 days. After that time, Chitika placed tracking cookies on browsers of consumers who had opted out and displayed targeted ads to them again.

The FTC charged that Chitika engaged in a deceptive practice in violation of Section 5 of the FTC Act by tracking consumers’ online activities even after they used Chitika’s opt out mechanism to direct the company to stop tracking them online and serving targeted ads.

The settlement bars Chitika from making misleading statements about the company’s data collection practices and the extent to which consumers can control the collection, use or sharing of their data. The settlement also requires that every targeted ad Chitika displays include a link to a clear opt-out mechanism that allows a consumer to opt out for a period of at least five years. It also requires that Chitika destroy all identifiable user information collected when the defective opt out was in place. Finally, Chitika must alert consumers who previously tried to opt out that their attempt was not effective, and they should opt out again to avoid receiving targeted ads through the company.

Twitter – FTC Alleges Failure to Safeguard Personal Information

On March 11, 2011, the FTC announced final settlement with Twitter over allegations that the company deceived consumers and put their privacy at risk by failing to safeguard the security of their personal information. The FTC alleged that serious lapses in the company’s data security practices allowed hackers to obtain unauthorized administrative control of Twitter and access users’ personal information and tweets that users designated as private. The hackers also gained the ability to send tweets from any account. The FTC complaint alleged that hackers were able to gain administrative control of Twitter on at least two occasions.

According to the FTC, Twitter’s website privacy notice stated that the company “employ[s] administrative, physical, and electronic measures designed to protect your information from unauthorized access.” In addition, Twitter offered its users privacy settings that enabled them to designate their tweets as private. The FTC alleged that Twitter’s representations that the company (i) used reasonable and appropriate security measures to prevent unauthorized access to nonpublic user information, and (ii) honored users’ privacy choice were deceptive and violated Section 5 of the FTC Act.

The settlement prohibits Twitter from misleading consumers about the extent to which the company protects the security, privacy and confidentiality of nonpublic consumer information, including the extent of the measures the company takes to prevent unauthorized access to the information. Twitter also must honor the privacy choices made by consumers and establish and maintain a comprehensive information security program. The program must be assessed by an independent auditor every other year for 10 years.

Lessons Learned

With privacy enforcement on the rise, companies are well advised to take proactive approach to compliance with privacy and information security laws, regulations, guidelines and best practices. The FTC expects businesses to collect, use, disclose and process personal information in a fair and transparent way, and to accurately represent their privacy and security practices to consumers. Take a look at these Fair Information Practice Principles and think how your business can apply them to its personal information practices.

Background

In 2004, AT&T had voluntarily reported to the FCC that it may have overcharged the government for various services the company provided as part of an FCC-administered program to open network access to schools and libraries. The AT&T entered into a consent decree to settle the charges brought by the FCC as a result of the disclosure. Subsequently, a trade association that included several AT&T competitors as members, filed a FOIA request to obtain "all pleadings and correspondence" the FCC had on file on regarding the AT&T matter.  This case arguably represents the trend of the use of FOIA requests for corporate intelligence gathering.

AT&T opposed the request, seeking to exclude the materials it had previously provided to the FCC from landing in the hands of the company's competitors. AT&T's opposition was based on several FOIA exemptions. The FCC found several exemptions applied, but limited the applicability of the "personal privacy" exemption to the records of AT&T's individual employees that the company provided to the FCC. AT&T argued that the exemption should also apply to the records of the AT&T corporate entity, but the FCC disagreed.

AT&T appealed the FCC's decision to the Third Circuit Court of Appeals. The Third Circuit sided with AT&T, finding that FOIA's "personal privacy" exemption extended to "persons," including "an individual, partnership, corporation, association, or public or private organization other than an agency." The FCC petitioned the Supreme Court for review.

The Holding

The Supreme Court's holding did not come as a great surprise, given that the oral argument on January 10, 2011 (audio here and transcript here) strongly suggested an FCC win. More interesting, perhaps, is the straightforward manner in which Chief Justice Roberts, writing for the Court, dispensed of the matter as a basic issue of grammatical interpretation and dictionary definitions. The Court observed that "adjectives typically reflect the meaning of the corresponding nouns, but not always." In this case, the Court highlighted the importance of the context of surrounding terms in the construction of statutory language, and the distinction between a "legal meaning" of a word and the ordinary one, citing to the Dictionary Act, 1 U.S.C. §1 (didn’t know there was a Dictionary Act?). The Court observed that AT&T did not cite "a single instance in which this Court or any other (aside from the Court of Appeals below) has expressly referred to a corporation’s ‘personal privacy.’ Nor does it identify any other statute that does so." In a sign that the Court continues to have a sense of humor, Chief Justice Roberts expressed hope that AT&T would not "take it personally."

U.S. Department of Health and Human Services -- $4.3M fine, $105,000 per record

On February 22, 2011, the HHS issued a Notice of Final Determination finding that a health plan, Cignet Health of Prince George’s County, Md., violated the HIPAA Privacy Rule, and imposing a fine of $4.3 million on company. This marks the first time the HHS has imposed a civil monetary penalty for an entity’s violation of the HIPAA Privacy Rule. The HHS determined that Cignet violated 41 patients’ rights by denying the patients' requests for access to their medical records between September 2008 and October 2009. The HHS took action as a result of the patients’ individual complaints. The HHS has alleged that, during its investigation, Cignet refused to respond to the agency’s demands to produce the records. Additionally, Cignet is alleged to have failed to cooperate with the agency’s investigation of the complaints or produce the records in response to a subpoena. The HHS has found that Cignet failed to cooperate with the agency’s investigations on a continuing basis due to the company’s willful neglect to comply with the HIPAA Privacy Rule. The investigation was conducted by the HHS Office for Civil Rights.

Federal Trade Commission – 20-year consent order, over 1,800 records

On February 3, 2011, the FTC announced that three companies in the business of reselling consumers’ credit reports agreed to settle charges that they did not take reasonable steps to protect consumers’ personal information. According to the FTC’s complaint, the three resellers bought credit reports from the three nationwide consumer reporting agencies and combined them into special reports sold to clients such as mortgage brokers and others to determine consumers’ eligibility for credit. The FTC alleged that the resellers lacked information security policies and procedures and allowed clients that did not have basic security measures in place (such as firewalls or current antivirus software) to access their reports. According to the FTC, hackers exploited these vulnerabilities to access more than 1,800 credit reports without authorization through the resellers’ clients’ networks. In addition, the FTC alleged that after becoming aware of the data breaches, the companies did not make reasonable efforts to protect against future breaches.

The settlements require the resellers to strengthen their data security procedures and submit to audits for 20 years. David Vladeck, Director of the FTC’s Bureau of Consumer Protection noted that this enforcement action “should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it.” “Had these three companies taken adequate steps to ensure the use of basic computer security measures, they might have foiled the hackers who wound up gaining access to extensive personal information in the consumer reporting system,” added Vladeck.

FINRA -- $600,000 fine for failure to secure over 1M records

On February 17, 2011, the Financial Industry Regulatory Authority (FINRA) -- the largest independent regulator for all securities firms doing business in the United States -- imposed fines of $600,000 against  a securities firm, Lincoln Financial Securities, Inc. and its affiliate, Lincoln Financial Advisors Corporation. FINRA alleged that the firms failed to adequately protect customer information, including by failing to require brokers working remotely to install security software on personal computers used to conduct securities business. FINRA found that for extended periods of time (between two and seven years) the firms’ employees were able to access customer account records through any Internet browser by using shared login credentials. According to FINRA, between 2002 and 2009, more than one million customer records were accessed through the use of shared user names and passwords. FINRA found that the firms did not have policies or procedures to monitor the distribution of the shared credentials, and were unable to track how many or which employees gained access to the customer information during this extended period security vulnerability. FINRA determined that these failures put at risk confidential customer information, including names, addresses, social security numbers, account numbers, account balances, birth dates, email addresses and transaction details. FINRA also found that the firms did not have procedures to disable or change the shared user names and passwords on a recurring basis even after an employee had been terminated. This prevented the firms from determining whether former employees continued to access confidential customer information using the shared credentials.

In assessing sanctions, FINRA took into consideration the firms’ efforts to notify all customers whose account information was or may have been exposed and the firms' offer to the customers of credit monitoring and restoration services for a period of one year.

With privacy enforcement on the rise, it is not worth the financial and reputational risk to wait for a breach, an enforcement action or a critical media report before establishing a robust privacy and information security governance program. If your organization does not have such a program in place, now is the time to act. Legal compliance function, vendor management and appropriate privacy and information security provisions in vendor and customer agreements are just a few of the hallmarks of a program that could have helped avoid these enforcement actions.

Inevitably, Republicans and Democrats are bound to disagree on many aspects of the legislation. For example, while Democrats have sought to expand the Federal Trade Commission’s privacy enforcement jurisdiction, Republicans are keen on keeping the regulators’ power in check. Both parties, however, will have to balance privacy protections against the ability of businesses that leverage personal information to grow and create jobs. Republican and Democratic legislators, as well as the administration, have made repeated pledges to their constituents that saving and creating jobs is their top priority.

Bipartisanship on privacy and information security issues in not unprecedented. Last year, for example, Republicans and Democrats joined in amending the Fair Credit Reporting Act to drastically limit the scope of the FTC’s Identity Theft Red Flags Rule. Whether the parties will in fact cooperate this year is an open question. Republican members of the House have made it clear that 2011 is likely to be a bruising legislative season.

Check back with us often as we track legal developments in the privacy and information security arena.

Traditionally, in the U.S., employees have enjoyed little privacy in the workplace. With respect to workplace communications, for example, employees generally are deemed not to have “a reasonable expectation of privacy.” With some limitations, this allows employers to freely monitor and review employee communications. Employees in the U.S. often must abide by company rules that limit or prohibit personal use of workplace email and provide for monitoring of all employee electronic communications. Companies also may impose sanctions on employees for criticizing or disparaging the employer outside of work, including on social networking websites. In another example of limited workplace privacy, employers regularly obtain credit reports regarding job applicants or employees being considered for promotions. While obtaining a credit report for employment purposes requires the consent of the individual, applicants and employees often are reluctant to withhold consent for fear of compromising their chances of landing a job or a promotion. Many employers obtain credit reports regardless of whether financial considerations are relevant to the job.

The recent court decisions, laws and agency actions we recap in this blog post are changing the workplace privacy rules. Employers should consider these developments carefully in evaluating their human resources, information technology, electronic communications and other policies that affect employee privacy. 

U.S. Supreme Court Offers Guidance on Employee Privacy in City of Ontario, California v. Quon

On June 17, 2010, the U.S. Supreme Court ruled in City of Ontario, California v. Quon that a police department did not violate an officer’s Fourth Amendment rights when the officer’s supervisor reviewed personal text messages the officer sent using a work-issued pager. The Court held that the search of the messages was reasonable, and did not resolve the question of whether the officer had “a reasonable expectation of privacy” in the text messages. The Court stated that it was reluctant to wade into employee privacy debate in light of the novelty of the issue, the implications of opining on emerging technology before its role in the society has become clear, and the risk of making a ruling that is not fully informed.

The Court, however, set out some of the issues it could have considered had it been inclined to make a ruling on the employee’s privacy expectations. The Court observed that in Quon a finding of an expectation of privacy in text messages could have been supported by the ubiquity of mobile communications that makes the communications essential or necessary instruments for self-expression, even self-identification. On the other hand, the Court suggested that the ubiquity of messaging devices also made them generally affordable, so that employees who need mobile devices for personal use can purchase and pay for their own. The Court observed that employee communications policies shape the reasonable expectations of their employees, especially when such policies are clearly communicated to the employees. The Court left open, however, the possibility that a supervisor’s statement guaranteeing the privacy of an employee’s communications, even if contrary to the company policy, may create an expectation of privacy in the communications by the employee. The court also noted the difference between an employer’s review of workplace communications vs. personal communications. Specifically, the Court observed that an audit of messages on an employer-provided device was not nearly as intrusive as a search of an employee’s personal email account or pager would have been.

Lower courts likely will look to the Supreme Court’s views on employee privacy in considering privacy claims. Likewise, employers should consider the Court’s discussion of employee privacy in developing and implementing employee monitoring policies. The key lessons for private employers from Quon are to (i) have a communications policy that is clear and comprehensive in scope and clearly communicated to employees; (ii) train management to follow company policies and not contradict them; (iii) when conducting a review of communications that might be inconsistent with the company’s electronic communications policy, ensure that there is a legitimate business reason for the review and be cautions to review only what is necessary; (iv) stay abreast of changes in privacy laws and relevant court decisions. 

New Jersey Supreme Court Upholds Privacy Claims in Stengart v. Loving Care Agency, Inc.

Private employers should pay equal if not greater attention to many state court cases that have dealt with the issue of employee privacy. Unlike Quon, these state court decisions (as well as federal court decisions that apply state law) are directly applicable to private employers. In arguably the most important state decision on employee privacy of 2010, the New Jersey Supreme Court ruled, on March 30, 2010, for the former employee on the employee’s claim that state’s common privacy law protected certain of the employee’s emails from review by her employer.

The New Jersey Supreme Court considered whether the former employee – Ms. Stengart – had a reasonable expectation of privacy in certain emails she exchanged with her attorney. The email exchange took place over Stengart's personal, web-based email account. Stengart, however, used her company-issued computer for the communications. Images of the emails were saved by the employer’s monitoring system, which retained every web page visited on the computer. In the course of subsequent litigation against Stengart, Loving Care – the former employer – retrieved Stengart’s communications with her attorney from the laptop and sought to use the emails in the litigation. Stengart argued that the employer could neither review the emails nor use them in the litigation because she had a reasonable expectation of privacy in the communications. The New Jersey Supreme Court agreed. 

The Court found the company’s electronic communications policy to be ambiguous and interpreted the ambiguity against the employer. The policy stated that the company could review any matters on the company’s media systems and services at any time, and that all emails and communications were not to be considered personal or private to employees. The Court found the policy’s disclosure of employee monitoring insufficient because it did not inform employees that the company stored and could retrieve copies of employees’ private web-based emails. The Court also concluded that the policy failed to state expressly that the company would monitor the content of email communications made from employees’ personal email accounts when they were viewed on company-issued computers. The Court held that Stengart had a subjective expectation of privacy in communications she sent using her personal web-based email account, and that the company’s ambiguous boilerplate electronic communications policy did not quash Stengart’s expectation of privacy in the emails.

The Court acknowledged that employers may adopt and enforce lawful policies relating to computer use to protect the assets and productivity of a business. The Court held, however, that an employer may not read the contents of an employee's attorney-client communications sent or received using personal web-based email. The Court held that a policy that allows the employer to review such communications is unenforceable. 

Although the decision dealt with attorney-client communications, it also has implications for any personal emails (such as communications regarding health or financial issues) employees send over private web-based email accounts. For example, the court noted that employers that record and review screen shots on workplace computers will need to provide employees with a detailed, specific notice of such monitoring to the extent the screen shots also record emails employees send or receive via private web-based accounts. The Court also cautioned that a policy that permits “occasional personal use” of workplace email systems may create an expectation of privacy by employees with respect to personal emails they send or receive via company email. 

NLRB Alleges Firing an Employee for Facebook Comments Violates Federal Law

On November 8, 2010, the National Labor Relations Board (NLRB) filed an administrative complaint against an employer, alleging that the company violated an employee's federal rights by firing her for criticizing her manager on her Facebook page. The NLRB took the position that employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in such protected activity. The terminated employee was a union member, but the NLRB asserted that the right to criticize is equally applicable to nonunion employees because it is an extension of the federal right to discuss unionization and form unions.

Employers should consider the NLRB complaint carefully in reviewing their policies regulating social media use and behavior outside of the workplace. In this case, the employer's policy was rather extreme; it barred employees from depicting the company “in any way” on Facebook or other social media sites where the employees posted their pictures, or from making disparaging or discriminatory comments when discussing the employer or management. The NLRB action does not mean that the right to talk about employers on the web or outside of work is absolute. For example, if an employee lashes out against a supervisor, but is not communicating with employees in doing so, the activity may not be protected (in this case, other employees participated in the Facebook discussion of the former employee’s manager). In addition, making false, defamatory statements about the employer or disparaging remarks unrelated to work (for example, about a supervisor's family or personal life) is likely not protected by federal law.

States and Federal Regulators Push to Restrict Use of Credit Reports for Employment Purposes

The drive to limit the use of credit reports for employment purposes is in large part a reaction to the damage the continuing economic downturn has inflicted on individuals’ credit histories, creating a barrier to the individuals’ ability to reenter the workforce.

In 2010, Illinois and Oregon enacted legislation that limits the use of credit reports for employment purposes. Similar laws are in place in Hawaii and Washington and are being considered in Connecticut, Illinois, Maryland, Michigan, Missouri, New Jersey, New York, Ohio, Oklahoma, South Carolina, Vermont and Wisconsin. In addition, the federal Equal Employment Opportunity Commission (EEOC) filed an unusual action accusing an employer of discriminating against black job applicants in the hiring process on the basis of using the applicants’ credit histories.

The Illinois law, the Employee Credit Privacy Act, became effective January 1, 2011. The Act makes it illegal for employers to discriminate against job applicants on the basis of their credit histories and outlaws inquiries about applicants’ and employees’ credit histories. The law permits employers to conduct background investigations that do not include a credit history or report. In addition, the Act allows employers to obtain and consider credit reports in connection with jobs that involve (i) bonding or security under state or federal law; (ii) custody of, or unsupervised access to, $2,500 or more in cash or marketable assets; (iii) signatory power over businesses assets of $100 or more per transaction; (iv) management and control of the business; or (v) access to personal, financial or confidential information, trade secrets, or state or national security information. The law includes a private right of action, including the right to sue for injunctive relief and obtain attorneys’ fees.

The Oregon law came into effect on July 1, 2010. With certain exceptions, the law prohibits Oregon employers from using credit history in making hiring decisions or any decision affecting current employees. The law exempts from the prohibition federally-insured banks and credit unions, businesses required by law to consider employee credit history, and police and other public employers when hiring for law enforcement or airport security positions. In addition, the law permits employers to conduct credit checks for “substantially job-related reasons” provided the reasons are disclosed to the employee in writing. The Oregon law gives individuals the right to file an administrative complaint or a private lawsuit, and allows the recovery of attorneys’ fees.

While there is no federal prohibition against the use of credit reports for employment purposes, it appears that federal regulators may be seeking to curtail the practice. Specifically, in December 2010, the Equal Employment Opportunity Commission sued an employer in connection with use of credit reports in the hiring process. The EEOC alleged that the company used the reports in a way that discriminated against black job applicants. Emphasizing the broader reasons for the suit, the EEOC signaled that it believes that employers are denying jobs to applicants with damaged credit histories in cases where creditworthiness does not appear to be directly relevant to the job. The EEOC noted that credit histories are not complied to evaluate responsibility, are often inaccurate, and may not be a good indicator of an individual's qualifications for a particular job. In the suit, the EEOC alleged that rejecting applicants based on credit histories had a significant disparate impact on black applicants. In addition to other relief, the EEOC is seeking a permanent injunction to stop the employer’s use of credit histories in hiring and other employment decisions.

Additional Information Regarding Workplace Privacy Issues

For more information about privacy issues in the workplace, please join us for a webinar on January 27, 2011. The webinar, offered through Park Avenue Presentations, will focus on workplace privacy in the U.S. and Europe. Please email bsegalis@infolawgroup.com for registration details.

The FTC developed the proposed framework in recognition of increasing advances in technology that allow for rapid data collection and sharing that is often invisible to consumers. The framework is designed to reduce the burdens of protecting online privacy on consumers and businesses. The report is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.

Building on the FTC’s guidance on behavioral advertising, the proposed framework seeks to further expand the scope of protected data beyond the traditional notions of “personally identifiable information.” Specifically, the proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share or otherwise use consumer data that can reasonably be linked to a specific consumer, computer or device.

In developing the proposed privacy framework, the FTC observed that:

•  there is ubiquitous collection and use of consumer data online;

• the distinction between personally identifiable information and anonymous or de-identified information is blurring;

• the increased flow of information, including consumer data, creates significant economic benefits;

• the FTC’s existing “notice-and-choice” model of privacy protection has led to companies publishing privacy policies and notices that are long, legalistic disclosures that consumers usually do not read and do not understand;

• current privacy policies force consumers to bear too much burden in protecting their privacy;

• the FTC’s existing “harm-based model” of privacy protection, while focusing on protecting consumers from specific harm (e.g., physical or economic) has failed to recognize less tangible privacy concerns such as reputational harm or the fear of being monitored;

• both of the FTC’s privacy protection models (“notice-and-choice” and “harm-based”) have failed to keep up with data collection technology, including data collection that is invisible to consumers and website owners;

• industry efforts to address privacy through self-regulation have been “too slow” and have failed to provide adequate and meaningful protection to consumers;

• some companies manage consumer information in an irresponsible and even reckless manner, and many companies do not adequately address consumers’ privacy interests;

• many consumers are not informed about or cognizant of the risks associated with the collection, sharing and other use of their personal information; they lack understanding and ability to make informed choices about the collection and use of their data.

To reduce the burden on consumers and ensure basic privacy protections, the report makes a number of recommendations, which are summarized below.

1.       Privacy by Design

The report recommends that companies adopt a “privacy by design” approach by building privacy protections into their everyday business practices. Such protections include reasonable security for consumer data, limited collection and retention of such data, secure disposal of the data and reasonable procedures to promote data accuracy. Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services. The report calls for companies to implement these concepts in a systematic manner, scaled to each company’s business operations, including the amounts and types of data the organization processes. 

2.      Notice

The report calls on companies to improve their privacy policies and notices so that interested parties can compare data practices and choices across companies. For example, to facilitate meaningful choice, the FTC is recommending just-in-time concise notice and choice at the data collection point or before a consumer accepts a product or service. The FTC believes that privacy policies will continue to play an important role in promotion transparency, accountability and competition among companies on privacy issues – but only if the policies are clear, concise and easy to read. The report also recommends consideration of standardized privacy notices that allow consumers to compare information practices of competing companies. Finally, the FTC has reminded organizations that they must provide robust notice regarding material, retroactive changes to data practices and obtain affirmative consent to such changes.

3.      Choice, Including a Do-Not-Track Mechanism

The report calls for companies to provide choices to consumers about companies’ data practices in a simpler, more streamlined manner than has been used in the past. Consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. The report suggests that, to simplify choice for both consumers and businesses, companies should not have to seek consent for certain commonly accepted practices associated with processing consumers’ transactions, internal business operations (such as improving services), fraud prevention, legal compliance and first-party marketing. Some of these data uses are apparent in the context of the transaction, while others are accepted or necessary for public policy reasons. For data practices that are not commonly accepted or necessary, consumers should be able to make an informed and meaningful choice. The FTC used the report to remind organizations that they must obtain affirmative consent for material, retroactive changes to their data practices.

One method of simplified choice the FTC has recommended is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. The FTC has recommended a simple, easy to use choice mechanism for consumers to opt out of the collection of information about their Internet behavior for targeted ads. The FTC believes that a practical solution is technologically feasible and suggests that the most practical method could involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted advertising.

4.      Access

The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for non-consumer facing entities such as data brokers. Because of significant costs associated with access, the report suggests that access should be proportional to both the sensitivity of the data and its intended use.

We note that the data access principle, although novel in the U.S., is a well-established requirement in the European Union and some other jurisdictions that have adopted omnibus data protection regimes. In addition, providing reasonable access to personal data is one of the seven privacy principles mandated by the EU-U.S. and Switzerland-U.S. Safe Harbor programs. Accordingly, many U.S. entities that have certified compliance with the Safe Harbor are already complying with the data access requirement with respect to personal data they receive from Europe.

5.      Privacy Awareness

The FTC has proposed that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. The FTC believes that increasing consumers’ understanding of commercial data collection practices will facilitate competition on privacy among companies.

6.      Enforcement

The FTC reiterated its resolve to take action against companies that “cross the line” with consumer data and violate consumers’ privacy – especially when children and teens are involved. The Commission also made clear that consumers’ choices should be respected. The FTC will not tolerate use of technology to circumvent consumer choice.

In issuing the report, the commission posed a series of questions to privacy stakeholders. The deadline for submitting comments to the FTC is January 31, 2011. The questions concern the scope of the companies and data to which the framework should apply; the substantive privacy protections the framework offers; data management procedures; practices that should require meaningful choice; the “do-not-track” proposal; transparency of privacy practices and improvement of privacy notices; data access; and consumer education.

Please check back with us as we address the report in more detail in the coming days.

Tanya Forsheit.  Litigation is my first professional love, and privacy and data security are a close second. Prior to founding the InformationLawGroup, I was the Co-Chair of Proskauer Rose LLP’s Privacy and Data Security practice group, where I launched the firm’s Privacy Law Blog in 2007. I work with clients to address legal requirements and best practices for protecting customer and employee information. I also have extensive experience handling complex commercial and appellate litigation for corporate and individual clients before federal and state courts. In 2009, I was honored to be named one of the Daily Journal’s Top 100 women litigators in California. I am First Vice President of the Women Lawyers Association of Los Angeles, I sit on the Executive Committee of the Los Angeles County Bar Association Entertainment and Intellectual Property Section, and I am co-chair of the American Bar Association’s Information Security Committee Cloud Computing Law Working Group.

David Navetta.  Dave has over 12 years of legal experience, including in the areas of information security and privacy contract and policy drafting, breach notice legal services, risk management consulting and regulatory compliance. Prior to starting his own firm, InfoSecCompliance LLC in 2005, he worked as an assistant general counsel for a major insurer’s eBusiness risk group, where he analyzed and forecasted information security, privacy and technology risks and drafted policies to cover such risks. He was a litigator at the Chicago office of an international law firm prior to going in-house. He currently serves as a Co-Chair of the ABA’s Information Security Committee, and is also Co-Chair of the PCI Legal Risk and Liability Working Group. Dave is now working on a book concerning PCI contracting.

Scott Blackmer.  Scott has practiced information technology law since 1982. He has been listed in several peer-reviewed directories of prominent IT lawyers, including the Legal Media Group’s Guide to the World’s Leading Technology, Media & Telecommunications Lawyers. Formerly a partner in the Washington, D.C., and Brussels offices of WilmerHale, Scott serves on the executive management team of the First Law International legal network in Brussels. He also consults on privacy, data protection and security issues in association with HR Privacy Solutions in New York and Jeitosa Group International in San Francisco. He also serves as general counsel to the Trusted Computing Group, XDI.org, and OpenID Foundation, and he counsels other industry associations, corporations and entrepreneurs. He has advised federal and state agencies as well as the European Commission on privacy and security issues, and he currently serves as a privacy advisor to the U.S. Social Security Administration. Scott also arbitrates Internet domain name disputes brought before the World Intellectual Property Organization (WIPO) in Geneva. Over his long career, he has worked on transactions and licensing, compliance issues, litigation, and arbitration matters in over 100 countries.

All three of us frequently speak and write on privacy and data security issues. Dave and I are both Certified Information Privacy Professionals through the International Association of Privacy Professionals.

We have successfully served a diverse range of clients: from large Fortune 500 multinationals and name-brand traditional brick-and-mortar companies, to small start-ups and technology service providers.  Our law practice uses an integrated approach combining technology and administrative controls, legal compliance, contractual vendor management and risk.

We look forward to meeting you soon!