U.S. Supreme Court Case Tests Privacy in Employment Context

This post was written by Paul Bond.

Companies routinely issue communications devices to employees for on-the-job use. Employees routinely use such devices to conduct personal business, wasting company resources and sometimes violating company codes of conduct. Under what circumstances may a company monitor messages to and from an employer-issued device? That question is currently before the U.S. Supreme Court in the case City of Ontario v. Quon.

The CSO Breakfast Club, an organization of Chief Information Security Officers from around the country, recently interviewed Rimon attorney Paul Bond about the potential ramifications of the case.

The City issued Sergeant Quon a pager for work use and he signed an agreement acknowledging he had no expectation of privacy in his communications. When Sergeant Quon kept going over his character quota, a supervisor told him the supervisor would not audit communications, provided Sergeant Quon paid for the overages. A departmental audit revealed that Sergeant Quon was regularly sending highly inappropriate texts to his wife, girlfriend, and a fellow officer. All of them sued the City for violations of their constitutional rights to privacy. The Supreme Court briefing and a transcript of the spirited oral argument are available at SCOTUS Wiki, (neither Legal Bytes nor Rimon can vouch for the accuracy of the material or analysis on this external link).

Employers are watching this case closely to see if the nation’s highest court will provide any guidance on the ground-rules for monitoring employee use (and abuse) of company-issued communications devices; but whether you want to stay in tune with developments or you need help in this area, contact Paul Bond. Of course, you can always call me, Joseph I. Rosenbaum, or any Rimon attorney with whom you regularly work.

LifeLock CEO May Not Be Giving Out His Social Security Number Anymore

Todd Davis, the CEO of LifeLock is not the first CEO to appear in advertising, but was probably the first to prominently display his U.S. Social Security Number in full-page ads in major newspapers and billboards across the country. Although these ads disappeared a while ago, the action brought by the Federal Trade Commission and the Attorneys General of 35 states of the United States, has now resulted in a settlement valued at $11 million. FYI, the states involved were: Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia. The settlement resolves claims that LifeLock’s advertising was deceptive and misleading and misrepresented the types of services consumers could expect if they become victims of identity theft and their personal information was compromised.

While LifeLock does provide some measure of identity-theft protection, it was apparently not as robust and comprehensive as the advertising might lead a consumer to believe (personal information would be “useless to a criminal”). As a result of the action, not only has LifeLock promised to make changes (or has already made changes) to address the FTC complaint – in its business practices as well as its advertising – but the complaint also named CEO Davis and his co-founder Robert J. Maynard, Jr., who both will be barred from making the same misrepresentations as LifeLock. The $11 million received from LifeLock will provide refunds to consumers who signed up for the service. Information about eligibility and how the redress program will work can be obtained directly from the FTC – LifeLock Redress Program.

FTC Chairman Leibowitz stated: “Consumers received far less protection than they were promised," noting further that LifeLock’s service was ineffective against identity theft involving existing credit cards or bank accounts. Despite the advertised claims, according to the FTC, LifeLock often did not encrypt data in storage or transmission, didn’t install any antivirus protection software on computers used by employees, and failed to even require strong password protection for employees’ access to systems and files.

The documents were filed by the FTC in the U.S. District Court for the District of Arizona, and you can obtain a full copy of the original Complaint and the Stipulated Final Judgments against LifeLock, Davis and Maynard, right here: Federal Trade Commission v. LifeLock.

The Advertising Technology & Media law practice has lawyers and the resources of Rimon’s litigation and regulatory enforcement team to help clients seeking to prevent legal and regulatory problems and, if necessary, defend you if they arise. We have a team of data security and identity-theft lawyers with hands-on experience who know how to respond if a data breach occurs and can counsel you in complying with federal and state requirements. Need to know more? Call Joe Rosenbaum, or any of the lawyers at Rimon with whom you work – and, by the way, don’t give out your Social Security Number.

Isn’t Technology Supposed to Help Us? Help Us Work Smarter?

If you have been reading Legal Bytes regularly, you know that Lois Thomson here at Rimon has been one of the primary people supporting my efforts to transform "legal-ese" into understandable English – no trivial task for those of you who are interacting or have ever interacted with lawyers. So it is with great joy that I was not only able to have her write a post for Legal Bytes, but that I also finally got to edit her article. Hopefully she will smile and agree it’s been helpful. So, Lois, thank you, and here is your relevant and very timely note for all the world to see:

"I looked at an email I received from my friend, Robert, and wondered why the subject line was a reply regarding an issue of Legal Bytes that I had proofread for Joe Rosenbaum. ‘Are you aware that you have been sending these to me?’ Robert’s message read. ‘It seems like that might have been a mistake.’

"Ouch! A mistake indeed! You see, when Joe sends his documents to me to review, I proof them and make my suggested changes. I then simply hit the forward button to return them to him. Now as many of you email-program (e.g., Outlook) users already know, to make life easier (that’s ostensibly what technology is supposed to do), once I start to type in "ro," Rosenbaum, Joseph I.’s name should automatically populate the ‘To’ field. Oops. Not this time. Instead, my friend Robert’s name came up, and without looking – as I’m guessing so many of us routinely do – I hit enter and sent it off, pleased I had been so timely and responsive. Unfortunately, I was responding to my friend Robert, who may happily read Legal Bytes, but not, I suspect, the artist’s proof!

"Fortunately, Joe and Robert were gracious about the whole thing and in this case, both felt no harm was done. But what if the message had been from your lawyer or doctor or a rabbi or priest, or was some other communication that was not ultimately meant for public consumption. It was a simple but powerful reminder to me (and one that Joe felt was important enough to ask me to pass it on to you), that while automated tools can make routine tasks like ‘field completion’ simpler, they can also lead to problems if we rely on them without thinking. Hmmmm, now why can’t I remember phone numbers anymore – is it because they are all programmed into every device I own, so that I no longer have to think?"

A helpful reminder that while automated tools are great, they are just that – tools. If we aren’t careful, the tools can work against us and not for us, and can create embarrassment at best, liability at worst. Thank you Lois (and Robert).

Need to know more? Contact me, Joseph I. Rosenbaum, or any Rimon attorney with whom you regularly work. Need proofreading skills? If you don’t work for Rimon, don’t call Lois. She’s busy helping us every day. Thanks again, Lois.

HITECH Means High Stakes in First-Ever State HIPAA Lawsuit

Yesterday, the Attorney General of the State of Connecticut filed suit against the Connecticut subsidiary of Health Net, charging it with violations of the privacy and security requirements of HIPAA. The action, filed yesterday in the United States District Court in Connecticut, comes on the heels of a security breach involving medical records and Social Security numbers. The suit also names United Health Group Inc. and Oxford Health Plans LLC, who acquired Health Net of Connecticut but who were not involved in the data breach.

If you forgot, last year the Health Information Technology for Economic and Clinical Health Act (HITECH), for the first time authorized individual state attorneys’ general to enforce the security and data privacy regulations under HIPAA, and this appears to be the first such action.

The lawsuit claims that Health Net in Connecticut failed to provide adequate security for the medical and financial records of hundreds of thousands of enrolled individuals, and failed to notify them promptly in connection with the breach. The breach, which took place last May, involved the disappearance of a computer hard drive. Health Net eventually reported the breach, posting a notice on its website and starting a staggered process of mailing letters to consumers November 30, 2009, almost six months after the security breach. For those of you involved in the collection, handling, maintenance, or use of personal, financial and medical information covered by HIPAA, new federal rules under the HITECH Act require “timely” notification of certain breaches, rules that have a compliance deadline of February 22, 2010.

Health Net attributed the delay in reporting to its inability to determine exactly what was on the computer hard drive that disappeared, thus not being sure if a notice was even required. One can only surmise that the mere fact that Health Net didn’t know what information was contained on a removable computer hard drive made its reasoning less than satisfactory to the Connecticut State Attorney General. Although Health Net appears to have conceded that the data was not encrypted, it did indicate that the data should not be visible without the use of specific software. However, Kroll Inc., a computer forensic firm retained by Health Net to investigate the breach, reported the data could be viewable with commonly available software.

Privacy, security and data protection of non-public, personally identifiable and sensitive information (e.g., health, financial data) are increasingly subject to stricter rules and regulations. The use of the Internet and web, making digital information more susceptible to undetected duplication, transmission and access – not to mention the obvious fact that carrying millions of pages of records would be impossible, while walking out with a single hard disk or CD-ROM on which the same data and information has been scanned or stored in digital form – can be virtually undetectable.

Do you know of any law firm that has a team of privacy and data security, identity theft and data breach legal professionals? A firm that has health care, financial services and insurance specialists, as well as lawyers steeped in digital technology, information security and e-commerce? A firm that has transactional, regulatory compliance and policy-oriented lawyers who can audit current practices and policies, assist in developing mechanisms needed to satisfy regulatory requirements, and provide legal support to help avoid a legal problem, and also regulatory, compliance and litigation professionals who can represent and defend clients if a problem arises? Now you do – Rimon. If you need more information, contact me, Joseph I. (“Joe”) Rosenbaum, or Mark Melodia or Paul Bond, or the Rimon attorney with whom you regularly work, if you need legal advice, information or support on this subject.

Will Net Neutrality Compromise Net Profits?

Earlier today, Julius Genachowski, Chairman of the Federal Communications Commission (FCC), telegraphed the Commission’s plans to open a formal rule-making process on the issue of “net neutrality.” It’s likely the specifics regarding hearings and a timetable for any proposed rulemaking procedures will be on the agenda for the FCC’s October meeting.

While many of the major carriers – including wireless carriers who have typically been out of the fray when it comes to the Web – have argued against both the need and the wisdom of competitive regulation amongst carriers, open Internet advocates, many of whom were ardent campaign contributors and supporters of President Obama, have been aggressively pushing for regulation. Companies such as Amazon.com and Google, have long argued for rules that would prohibit carriers from denying their right to give consumers complete freedom of choice when it comes to both the content they receive and the devices they use to receive it. While not necessarily quibbling with what appears, on its face, to be a reasonable and market driven approach, opponents point out that the government stay away from intervening in yet another major marketplace – this time one, they argue, that isn’t broken. Further, and perhaps more significantly, companies such as ATT and Verizon, now joined by ATT Wireless, Verizon Wireless, Sprint (Sprint Nextel) and T-Mobile (Deutsche Telekom) argue that forcing carriers to open up their networks without corresponding economic counterbalances in place will force them to either raise consumer prices to keep up with virtually unrestricted broadband demand, but may require them to limit availability and accessibility for capacity and technological reasons. Wireless carriers may have special reasons to be concerned given current pricing models and the technological limits of current bandwidth capacity. That said, the major cable television, fiber optic and DSL-based Internet providers have long had to cope with government regulation and requirements.

Back in the days following the breakup of AT&T’s telephone monopoly (anyone remember Judge Green and his landmark 1983 rulings?), the regional and local companies spawned by carving up the nations’ previously regulated monopoly – the so-called ‘Baby Bells’ – worried about long-distance carriers (including the remaining long distance carrier, AT&T) making deals for preferential treatment over interconnections. Thus the principle of equal (“neutral”) treatment for interconnectivity arose. When cable companies started offering Internet service – previously the domain of phone-line intensive telephone companies (remember dial-up?) – they tried to convince everyone that neutrality didn’t apply to them. They carried information, and weren’t, after all, common carriers.

OK. Fast forward to the market response. Phone companies decided to get into the content business! Cable companies are offering Internet and VOIP services, telephone companies are offering entertainment, programming and information services, wireless phone services stream video content and provide messaging of news, sports scores and applications galore (oh, they do still carry voice traffic when you need to make a call).

So back to 2009 and the future. According to Commissioner Genachowski: “This is not about government regulation of the Internet,” adding that “We will do as much as we need to do, and no more, to ensure that the Internet remains an unfettered platform for competition, creativity, and entrepreneurial activity.” That said, his proposal would add a fifth principle to the FCC’s existing four that relate to the Internet. To wit, that carriers will not be permitted to be selective about the content they carry (subject, of course, to their continued ability to block illegal content) and will be required to be transparent about how they are managing the carriage of content across their networks. Violations and allegations of discriminatory practices would still be reviewed by the FCC as and when the facts of each specific case arise. You can read or download the complete statement of Commissioner Genachowski’s prepared statement today, entitled “Preserving a Free and Open Internet: A Platform for Innovation, Opportunity, and Prosperity,” right here.

Clearly if you are a small Internet application provider or software developer that has traditionally had to pay for access through a carrier, open, non-discriminatory access would prove a major boon. Then again, Internet carriers – wired and wireless – have invested huge amounts of capital in building their own proprietary networks. Since there is no evidence that there is a lack of competition, why should the government tell any of them what they should or should not carry on their networks? Indeed, since the early 1990s, when the Web evolved from a glimmer in the eye of Tim Berners-Lee, to a reality, there have been so few real complaints (and so few complaints from consumers, even as competitors bash each other about), why fix something that doesn’t appear to be or have been broken for almost two decades?

Confused as to how the FCC proceedings might or might not affect your business? Thinking about participating in the dialog or submitting comments to the FCC? Let Rimon help you. To stay informed, keep your mouse tuned to Legal Bytes, and if you need to know more, please feel free to call me or the Rimon attorney with whom you regularly work.

A Pirate’s Life (Not) For Me: France Strikes Out Internet Piracy

This post was also written by Andrew Boortz.

Over the last several months, France’s Parliament has been focusing on the issue of Internet piracy. In May, both houses of the French parliament passed the so-called “three strikes” law which would have given an independent body the ability to disconnect file-sharers from their ISPs. In June, the law was declared unconstitutional by the Constitutional Council because, under French law, the power to force such disconnection could only come through issuance of a court order. In response, French President Nicolas Sarkozy gave the first Presidential speech to the French Parliament in 150 years and passionately defended regulation of Internet piracy.

After President Sarkozy’s speech, the French Senate drafted and passed a modified version of the “three strikes” law which would allow alleged infringers to present their case to a French court, prior to losing their Internet connection. Judges in these hearings would have the power to: (1) order disconnection of the alleged infringer’s Internet access; (2) fine the alleged infringer up to €300,000; and/or (3) sentence the alleged infringer to a two-year prison term. Just yesterday (September 15th), the French National Assembly gave preliminary approval to the measure by a vote of 285-225 and now, a joint committee will unify the Senate and Assembly versions and present a final bill to both houses for a vote on September 22nd.

In looking back over the piracy-related events of this year, it may well turn out that 2009 will be remembered as a watershed year in the struggle between Internet pirates and rights holders.  With the Jammie Thomas and Joel Tenenbaum verdicts in the States, the pseudo-shuttering of the Pirate Bay in Sweden, the implementation of a self-imposed, self-regulatory “three strikes” policy by Ireland’s largest ISP (created under threat of massive litigation) and now France’s revised and revitalized new “three strikes” law, the global community is indeed tilting towards greater sanctions and regulation of Internet piracy.

This raises questions for technology innovators. For example, Facebook, which according to a CNN report out today has a social network population nearly as large as the population of the United States, will soon launch a voice chat feature.  Most likely, the feature could be used to stream media across the globe as well as the nation? Would Facebook be liable for creation and distribution of such a feature, which is similar to that which created liability for the Pirate Bay creators for their torrent-tracking website?

Need help? Confused by the torrent of information, technology and legal rights?  Need to know more? Contact Andrew (“Drew”) Boortz, in our Washington, D.C. office, call me or contact the Rimon attorney with whom you regularly work.

Identity Theft: Don’t Just Yell ‘Stop Thief.’ Audit Something!

It was 1998 and identity theft had not yet hit the radar screens as heavily as it would during the course of the next decade. Who could predict? So when I received a call from Albert J. Marcella, Jr. Professor of Management in the School of Business and Technology, Department of Management, at Webster University in St. Louis, who said he was putting together an “audit oriented” publication for The Institute of Internal Auditors to guide professionals who were becoming increasingly concerned about online identity theft, I naturally wondered what I could contribute to that effort.

So we spent a great deal of time collaborating about what we knew, speculated about what we did not know, and tried to put the work in context—specifically, guidance for corporate auditors and security management professionals on what they needed to know as sensitive, personally identifiable information migrated online. The result, of which my contribution played only a small part, was a book entitled www.STOPTHIEF.net, Protecting Your Identity on the Web, published in November 1999 by The Institute of Internal Auditors.

Identity theft, not a brand new crime even then, had a new face in our online, digital interconnected world. And, it was growing and pervasive, and its implications—if for no other reason than the sheer magnitude of the potential risks and the speed at which they would materialize on or through the Internet—were unprecedented and were becoming global.

I now know what I could not have known then—that more than 40 states have passed identity theft statutes and that the Privacy Rights Clearinghouse website, which takes pride in cataloging such things, estimates that as of a day or two ago, 263,247,398 records containing sensitive personal information were involved in security breaches in the United States since January 2005—six years after the publication became available.

To appreciate the foresight and to learn about those audit guidelines and benchmarks, you have to buy the book. But to read my personal piece of that collaborative effort—an end-piece summary of the legal implications entitled “Technology, the Internet and Cyberspace: Challenges to National and International Privacy“, you just have to read Legal Bytes.

Better to Lose Face Than Facebook

Facebook, the very informal and ostensibly open social network, hinting at an apology for what its CEO acknowledged were “overly formal and protective” Terms of Service, did an abrupt about-face recently, retracting them and reverting to its old Terms of Service—presumably reacting to a sea of complaints from just about everyone. Complaints? Over legal terms—does anyone still read them? Well, they do, and they didn’t like what they read—particularly the part that claimed unrestricted, perpetual ownership of your personal data, even if you decide to delete your entire account and go away. 

While we respect Facebook’s right to better manage, control, and disclose to consumers how and for what purpose it treats and handles personal data, it highlights a number of things the online world continues to teach us. First, don’t assume those innocuous changes buried somewhere in terms of service, terms of use, privacy policies, codes of conduct, rules of the road, or whatever you choose to call them, aren’t being scrutinized—by consumers, by your customers, by the media and, lest we forget, by regulators and legislators. While Facebook has not admitted it was caught a bit red-faced, it is taking your feedback in a “Facebook Bill of Rights and Responsibilities” group to which you can contribute your thoughts. For those in the know, Facebook’s population has grown to more than 175 million users—does that make it the sixth-largest country in the world? Hmm, I wonder if that country has a growing budget deficit too; we’ll have to wait for the State of the Reunion speech, when results are posted, to find out.

Cyber Attacks? It’s Not Just War Games Anymore

Is a cyber attack an act of war? Analysts reported that while the Russian military was acting against the Georgian republic, Georgian websites were also under attack. Cyber warfare can exploit security gaps to take control of civilian infrastructure, such as power grids, as well as government websites and military command and control operations. It has long been known that cyber-weaponry could supplement (and sometimes replace) traditional military activities. But when does a cyber-attack itself constitute an act of war? (We all appreciate the notion of “war” as a historical concept is and continues to change.) Tactics such as urban warfare, bioterrorism and suicide bombers have caused grave concern, not only over government’s ability to deter violent and damaging non-traditional acts of war, but also how to respond when they occur. A big challenge in the cyber warfare world is identifying who did it. In 2007, Estonia asked NATO to come to its defense when a cyber attack disabled government and bank websites. Apparently in 2008 we didn’t need a cyber attack to bring down some of our financial institutions (sorry, couldn’t resist). Question—how does one respond to a cyber attack—with bullets or chips?

California’s a Trendsetter—-This Time it’s Privacy

No longer merely the source of new fashion trends or technology movements (or McDonald’s), California is quickly becoming the thought leader in protecting consumer privacy. Two new laws, one which deals with personal information given to third parties for marketing (SB27) and another which obligates businesses to adhere to certain security requirements for using and storing personal information, both came into effect January 1, 2005. The new law requires businesses with 20 or more employees to give consumers detailed disclosures about not only what customer information they have shared with third parties, but also the contact information for and descriptions of those parties. Want to avoid the disclosure obligations? Simple. Allow your customers a free opt-out election from having their personal information shared. That said, you will still have to let your customers know how and to whom they can inquire about these requirements – even if your business offers the opt-out choice to consumers. By the way, if you are already subject to the stricter requirements of California’s financial privacy act, you are exempt. While there are some additional exemptions, they are narrow, and anyone doing business in California shouldn’t be too quick to conclude they are exempt without consulting legal counsel. California’s Office of Privacy Protection has drafted a set of recommended practices which attempts to harmonize the requirements of this new act with the California online privacy act, the state’s financial privacy provisions, the federal Gramm-Leach-Bliley Act, HIPAA, and European Union privacy directives. Good luck.

Do you or your contractors have sensitive personal information (e.g., names and addresses in combination with social security numbers and PIN numbers) that could lead to identity or financial theft if compromised? What about medical information about a person’s diagnosis and treatment? Start ensuring you have “reasonable” practices to protect that information from unauthorized access, use, modification and disclosure—and it doesn’t matter if the information is on paper or in electronic form. Both are covered. While the legislative history makes it clear that no one particular standard is “the standard” for “reasonable” security, a company will need to designate a specific individual who is responsible for the company’s security program, and will need to establish a security task force—including a compliance officer and legal counsel. To avoid running afoul of the standards, not only must practices and a task force be implemented, but companies will also have to demonstrate they periodically test and monitor how the security measures are working, make risk assessment, and fine-tune their security measures to keep them updated appropriately. Need employee training? Need help implementing background checks, confidentiality agreements, encryption and record retention/destruction requirements, and disciplinary measures? Call the lawyers at Rimon. We can help.

Remember California’s security breach notification law (we told you about this and you get another prize if you can identify the back-issue in which we did so)? That law requires businesses to disclose security lapses. This new law creates a new duty and standard of care. Lawsuits arising from breaches in security (you remember California’s Business and Professions Code section 17200) can now use AB1950 as a discovery prod to determine if your business has used and effectively maintains reasonable security measures.

Consider this: California has already passed more than a dozen laws to protect privacy—many of which have now spawned federal legislation, some already passed and others in process. SB186 bans unsolicited e-mail and AB1769 bans text messaging advertisements to cell phones and pagers. AB1733 mandates consent from customers before a wireless carrier can list their phone numbers in a 411 directory, and SB1436 restricts keystroke monitoring software, website tracking software, and software that attempts to control personal computers.