Privacy is Back in the News

In last month’s issue, we mentioned (in “Gnu & Gnoteworthy”) the F.D.I.C. released a report entitled “Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks”. Well, privacy issues are popping up all over the place again.

California Financial Privacy Act

The California Financial Privacy Act of 2003 became effective July 1st and requires banks to give customers the right to opt out of sharing information with bank affiliates with separately regulated lines of business and requires banks to get permission from customers to share information with outside companies. After the law was enacted, the American Bankers Association, Consumer Banking Association and Financial Services Roundtable filed suit claiming the Fair Credit Reporting Act—the federal law regulating sharing of information among affiliates—preempted state law and thus the part of the statute attempting to limit sharing of information among affiliates is invalid. Not so, said the Judge—to the surprise of bankers scrambling to comply—a recent notice from the California Department of Financial Institutions indicated it would begin enforcing the law immediately!

The Judge ruled that since the FCRA only applied to the sharing of “credit reports,” the California law covering a broader range of customer information was not preempted by federal law. Will the ruling be appealed? Will other states follow suit?

Continue reading “Privacy is Back in the News”

Spyware

A Utah statute, the first in the nation, entitled “The Spyware Control Act,” was originally scheduled to take effect on May 3, but has been delayed by a legal challenge brought by a New York-based company, WhenU.com. WhenU.com filed suit in Salt Lake City on April 12, seeking a declaration that Utah’s new law violates the U.S. and Utah Constitutions. WhenU.com claims the act—which targets software downloaded onto a consumer’s computer that triggers pop-up advertisements—unfairly targets online contextual advertising services that aren’t linked to websites, but instead sells ads based on consumer browsing preferences. The Utah Attorney General agreed to delay the effective date of the Act until the hearing to allow WhenU.com to seek a preliminary injunction delaying implementation of the law. WhenU.com hopes it can persuade the court to delay enforcement until a trial can be held to test WhenU.com’s claims that the law is unconstitutional. At the hearing, WhenU.com’s lawyers argued that regulation of advertising on the Internet is a matter of interstate commerce subject to federal, not state, jurisdiction. Arguing the State’s case, lawyers noted that disrupting a consumer’s browsing and highlighting competitors goods and services is the kind of consumer protection the Utah Legislature has a right to prohibit. In protecting consumers, lawyers for the State also argued that computer users are often tricked into installing such software without adequate disclosures and then find it difficult to remove when unintended or unwanted consequences arise.

WhenU.com noted its software is only installed with consumer consent and that pop-up ads offer consumers useful free features (e.g., weather, screen savers, tool bars) in exchange for allowing software that tracks browsing habits and generates related ads on the screen. With such context-based advertising software, a consumer browsing mortgage lending websites might be offered home loan information from one or more lending institutions. Stay tuned.

L.L. Bean Sues Over Pop-Up Ads

L.L. Bean filed lawsuits last month against Nordstrom, J.C. Penney, Atkins and Gevalia alleging they used pop-up ads that appeared when customers visited the retailer’s website. Each of the retailers named in the action had retained Claria, a software company that creates programs which track browsing habits on the Internet and cause windows or “pop up” advertising displays to appear on the user’s computer screen when the user’s browser visits specific websites. At least one State has already enacted legislation attempting to prohibit certain types of software that trigger such pop-ups (See “Spyware”).

Disaster Recovery – The Short List

Disaster recovery and continuity planning is still on everyone’s mind. Recent trends focus on data management and recovery—not necessarily to ensure continued operations in the event of an unplanned interruption, but most notably to ensure that regulators can monitor, audit and enforce compliance with the laws and regulations that have arisen in the wake of 9-11, and the corporate ‘scandals’ that have plagued businesses over the past few years.

But as many of you know, record-keeping and data backup is only a piece of the puzzle, albeit an important one. Two years ago (September 2002), Rimon conducted a legal briefing to review the issues related to continuity planning, and this month we thought it might be helpful to repeat some of the simple tips that may help you think about disaster recovery. Of course, if you would like a copy of the presentation, or help, just let us know.

  • Get senior management support: Without it you have no money or authority.
  • Identify, evaluate, prioritize: Which critical operations must continue?
  • Retrieve and restore: What resources need to be available?
  • Plan, plan, plan: Alternate locations, communication methods and control centers. Avoid single points of failure.
  • Money: Emergency cash and lines of credit.
  • Communicate: Media, emergency personnel, employees, customers and suppliers.
  • Practice, practice; Test, test, test: Got the message?
  • Educate, train and inform: Everyone should be advised and trained in his or her role.
  • Update, plan, update, plan: Continuity planning is a continuous process.
  • Insurance: Not prevention, but damage control and worth considering.
  • Consider others: Employees, customers, suppliers, business partners. Involve those who will be affected, to the extent you can.
  • Think relationship, not lawsuit: Contracts can be roadmaps for cooperation.
  • Tear up the plan and start again: What if your primary plan doesn’t work?
  • Think globally, act locally: International operations have international problems.
  • Safety first: Safety of people is the first priority. Good people can overcome the toughest challenges—treat them accordingly.

It’s Often the Little Things that Count – Here are Two

Last month, we brought you information about outsourcing—a topic making news daily. This month, we bring you smaller news with potentially bigger implications.

In the biblical prophecy of Isaiah, the wolf lives with the lamb, the leopard lies down with the kid and a little child shall lead them. You can draw your own conclusions as to who are lions, lambs and the little child, but a few days ago, the unthinkable occurred. Sun Microsystems and Microsoft reached peace by dropping most claims, cross-claims and the vitriolic debate raging since 1997 when Sun sued Microsoft alleging violations of its Java license terms. With a trail of litigation which includes U.S. and European antitrust regulators, the announcement is nothing short of astounding. Yes, it remains to be seen whether years of mistrust will dissipate and lead to true cooperation, but this is not simply a truce between two rivals. The Wall Street Journal quotes Tony Scott, Chief Technology Officer for General Motors, as saying “What we try to do is educate them on the real pain customers go through when you have multiple incompatible standards and technologies.” Instead of customers being forced to figure out (and pay for) solutions to interoperability and compatibility problems, vendors are now being pressured to do so. Is this the beginning of a trend? Too soon to tell, but this truce is a big deal—Mr. Scott represents a customer!

And now, number 2. Perhaps we have become less concerned about providing information to “friendly sites,” but Yahoo! has introduced a “paid inclusion” product which allows advertisers to guarantee their sites will show up in searches—although payments do not change the order in which results are displayed. Not to be outdone, Google’s new “G-mail” will have context-based advertising derived from—are you ready—a scan of key words in G-mail received by subscribers, which customizes advertising based on information in the e-mail. G-mail a friend about bowling and you may see a pop-up coupon for a local bowling alley. Marketing professionals and advertisers point to the fact that G-mail is an opt-in service and consumers have shown they are willing to give up privacy to obtain greater levels of convenience.

For the record, cookies were invented to allow you to have a shopping cart and accumulate items when going web shopping. Fast-forward past cookies to
spammers, phishing, pop-ups, invisible GIFs, web bugs, intelligent bots and spyware to this latest announcement. Google can now accumulate a detailed
dossier of individual consumer preferences and the contents of e-mails. No one is suggesting Google would abuse such information or that subscribing is not
truly voluntary, but not only do we know what you did last summer, soon we may also be able to tell you what you are planning next summer.

Privacy Policies to be Required by California on All Commercial Websites

California has done it again! The nation’s toughest anti-spam law, the first database security breach notification law, and now the first state to require commercial website owners and online service providers to adopt and communicate privacy policies, ensure policies satisfy certain minimum standards, and pay penalties if they fail to conform.

California’s Online Privacy Protection Act of 2003 becomes effective July 1, 2004, and applies to commercial website owners and online services that collect and maintain “personally identifiable information” from a “consumer” residing in California. This will likely apply to all businesses selling goods or services online in the United States. To comply, among other things, the privacy policy must identify the categories of information collected; third parties who have access; how a consumer may review and correct information; and how consumers will be notified of changes in the policy. The statute also requires website owners to “conspicuously post” a privacy policy on their websites. A website owner can satisfy the requirement by posting the policy on its home page or by providing a hyperlink from that page to the policy. The link must include the word “privacy” and meet certain case, type size, font, or contrasting colors or marking requirements that call attention to the link and the policy. Online service providers must use “reasonably accessible means” to make its policy available.

This act is a good reason for businesses to review existing privacy, website and online practices. Re-examine privacy promises and consider liability waivers. If you have not yet adopted a privacy policy, now is the time to do so!

The Buzz About Sourcing: Out, Near, Offshore, Strategic, Corporate, In…

Not a day goes by that outsourcing isn’t in the news. Not just news, but NEWS. The Wall Street Journal, Information Week, The New York Times, Financial Times, CIO Magazine, American Banker. “Press 1 for Delhi, 2 for Dallas,” “Prove It’s Secure: Legislators Want CIOs and Service Providers to Show that Customer Data Sent Overseas is as Safe as it is at Home,” “Global Talk Gets Cheaper—Outsourcing Abroad Becomes Even More Attractive as Cost of Fiber-Optic Links Drop,” “Offshore Outsourcing: How to Safeguard Your Data in a Dangerous World,” “Weighing the Benefits of Offshore Outsourcing,” “Big-Bank Perspectives on Offshore Outsourcing,” “Lesson in India: Not Every Job Translates Overseas,” “Business Coalition Battles Outsourcing Backlash,” “More Work is Outsourced to U.S., Than Away From It, Data Show,” “Offshoring Can Generate Jobs in the United States”—well, you get the picture. Senator Liz Figueroa (D-Calif.) is seeking legislation prohibiting consumer medical and financial data from being sent overseas without assurances of strong privacy safeguards (remember the U.S. position on the European personal data directive?). Even Alan Greenspan has weighed in, cautioning, “These alleged cures would make matters worse rather than better.”

Both providers and customers consistently articulate several key themes. Many third-party providers can do it cheaper, faster and at higher quality – processing is their business – not yours. Third-party providers survive by keeping up with technology, training personnel and responding to changes quickly and efficiently – often a secondary priority and a headache for other companies. Further, companies are recognizing that allowing a third-party to perform functions and assist in providing services rarely requires relinquishing control or responsibility – in fact, proper management increases, and almost always in a positive way.

Like it or not, outsourcing is likely to remain a significant weapon in management’s arsenal of choices in managing business—an alternative available for consideration as requirements change. Although perhaps obvious, an outsourcing transaction should take into account the following key issues:

  • All or Some?—Assess needs, evaluate priorities, costs and requirements, and understand which functions, process or operations should be outsourced and which retained. Outsourcing is a tool, not an end in itself.
  • Control, Flexibility & Cost—A delicate balance considering the difficulty and implications—especially when entrusted to a third party, or if you are a third-party provider. Agreements must address varying objectives, priorities, customers and suppliers—hardly a trivial exercise.
  • Human Resource—Outsourcing affects employees: seniority, pensions and benefits, decisions involving termination, changes in salary, and even relocation. Immigration issues arise when moving people around—even for temporary training or other assignments.
  • Performance Standards—Defining and prioritizing standards is difficult enough internally and fixing accountability in a contract even more so.
  • Corporate Compliance, Privacy & Security—These issues require careful examination. Functions can be outsourced, but rarely can the responsibility.
  • Relationship Management—Customer and provider must develop a solid working relationship—in operation and spirit. From shifting priorities to changing performance standards—there is no substitute for a strong, effective team approach.
  • International—Global outsourcing gives rise to issues relating to currency fluctuations, differing intellectual property protections, privacy and transborder data flow, surveillance and security, governing law, dispute resolution, and interpretation and enforcement of contracts in local courts; and
  • Insourcing—Sometimes forgotten, no decisions are permanent. Leave room to re-evaluate or move functions from one service provider to another in an amicable transition process. Businesses, operations, requirements and costs change—don’t lose flexibility.

Did you know Rimon has significant experience in handling sourcing transactions—near, offshore, strategic and otherwise? Did you know Rimon may be the only law firm with attorneys here and abroad who have handled major international and multinational outsourcing transactions for financial institutions, airlines, health care providers, telecommunications and manufacturing companies, to name a few? Did you know Rimon lawyers are adept at looking at both the purely legal and contractual issues, as well as counseling clients for success and guiding clients through the process?

Whether understanding sensitivities of internal employee concerns, or preparing RFPs and negotiating and managing these complex contracts, Rimon lawyers understand and handle risks and issues new and unknown to many organizations—a host of human resource and performance issues, assignment, immigration and employment, warranty, insurance, indemnity and liability questions, growth, change control, customer service and termination issues. How to handle a migration plan? What about our people? What if I can’t get the service I need? What if my needs, my systems, my operations or my processes or my business changes?

The implications are large, the risks enormous and the complexity overwhelming—don’t skimp on retaining people with the right expertise, including lawyers. Want to know more? Want to schedule a customized in-house seminar? Contact Joe Rosenbaum in the U.S. at joseph.rosenbaum@rimonlaw.com and let us help you.

Avoiding a Legal Disaster: Déjà Vu All Over Again

In April 1995, Datapro Reports on Information Security published a Disaster Avoidance brief (IS38-200-101) entitled “Avoiding a Legal Disaster: Business Continuity Planning for Multinationals.” In that paper, the author analogizes a famous 1932 “technology” case decided by the Second Circuit Court of Appeals in the United States, to the growing potential liability of users in managing their technology and information security resources. Specifically, the article states that “In 1932, a famous case entitled The T.J. Hooper (60 F.2d 737; 2nd Circuit, 1932) held that the failure to take advantage of existing and available technology—even though it was not in widespread or common use—was not evidence that the defendant’s duty to take reasonable care had been fulfilled. By analogy, when a disaster occurs, it will not be a defense to argue that a recovery or security system or preventive measure is not commonly in use, especially if using it would have averted the disaster or minimized the loss.”

The article, which focuses on what organizations can do to minimize risk, goes on to note that, “The more reliant business and operations become on technology, the more available preventive and risk management tools become, the less excusable a failure to implement meaningful measures and exercise due diligence over company assets will become to government, employees, customers, suppliers, and shareholders—all potential plaintiffs.”

Now this fact and the author would probably be relegated to obscurity but for an interesting article on I.T. Litigation that has just appeared in the February 1, 2004 issue of CIO Magazine, entitled “Courts Make Users Liable for Security Glitches.” The author notes that an interesting turning point arose in the wake of 9/11 when, in October 2001, Hartford Insurance removed computer damages from its general commercial liability policy coverage. The article goes on to cite three recent cases which are beginning to look a lot like a legal trend in this area. First, a case in which Verizon asked a court to order the State of Maine to refund money because Verizon wasn’t using Maine’s network while Verizon was “down” because of the “Slammer” worm. Verizon had not implemented a Slammer patch and last April the Court ruled that while one may not be able to control a worm attack, they are foreseeable—no refund (Maine Public Utilities Commission v. Verizon).

In Cobell v. Norton, the U.S. Department of the Interior’s website and computer security became an issue in a case involving benefits allegedly and to American Indians. The Court was sufficiently irritated by the Department’s conduct related to security audits, that the Judge actually commenced contempt proceedings! Finally, in the last case cited by the article, the American Civil Liberties Union hoped to avoid liability for accidentally publishing donor information by pleading it had outsourced its security to a third-party vendor. Although the case settled, it is doubtful such a defense would have worked and it is almost certain regulated companies will not be able to escape accountability for compliance by outsourcing regulated activities—the responsibility will remain theirs!

There appears to be an increasing, and not-so-subtle, shift away from the notion that programming errors related to security breaches, computer viruses, worms, logic bombs and other malicious code or hacker and denial of service attacks are somehow equivalent to unpredictable natural disasters like earthquakes or fires—thus not subject to a “fault” analysis, but more appropriately covered by ‘accident’ insurance. Indeed, these and other cases arising in the courts treat breaches of security as fair game for negligence lawsuits—especially where damage has been done to a consumer (e.g., identity theft) or where the assets of a company—tangible or intellectual property—have been compromised. As noted in the 1995 article, liability for failure to implement available security is likely to increasingly hold both providers and users of technology liable where negligence can be shown—or even reckless disregard where safety or the protection of assets are concerned. You can read the CIO Magazine article here and, by the way, the obscure author of the 1995 Datapro article can be reached at joseph.rosenbaum@rimonlaw.com should anyone wish to see a copy or discuss the issues raised—then or now!

Got Indemnification!

In a world increasingly dependent on information, technology and intellectual property rights, contract indemnities—especially if you are an innocent third party—can be critical. “Innocent” means you are a licensee or user of technology (e.g., software, database information) from a provider or licensor and a third party claims that your provider or licensor has wrongfully furnished you with intellectual property that belongs to them. While space doesn’t allow us to go into the finer points of contributory infringement, third-party claims and the distinctions between insurance, breach of representation, and warranty or contract claims and an indemnity, there is enough space to alert you to the fact that a third-party indemnity claim—even if you, the user/licensee, have not knowingly done anything wrong—is disruptive and unnerving at best and at worst can lead to damage claims. For example, the third-party, if successful, will require a new license agreement with you and new license fees (remember those license fees you already paid your current licensor/provider?). Caveat emptor (or, in this case, caveat licensor)!

CAN-SPAM: It’s Not Phat!

Federal Commercial E-Mail Legislation Takes Effect A major change in the law that affects privacy and commercial e-mail on the Internet took effect on January 1, 2004. The CAN-SPAM Act of 2003 doesn’t simply establish an “opt-out” framework for commercial e-mail, it completely pre-empts state law. Although an individual consumer doesn’t have the right to sue an offender under the Act, the Federal Trade Commission, along with the Attorneys General of each state, do. So what should you know?

First, the Act only applies to commercial e-mail—an e-mail whose primary purpose is promoting a commercial product or service. Although the FTC has not yet promulgated any regulations under the Act, simply because an e-mail has a URL link to a commercial website or refers to product or service doesn’t make it commercial e-mail. There are, of course, certain obvious exemptions built into the law. Product safety recall information or e-mails notifying you about changes or important notices concerning your subscriptions, memberships, purchase confirmations, accounts or e-mail related to your employment—all of these are so-called “transactional relationship messages” where the main purpose is communication related to a commercial transaction, rather than promotion or advertising.

Second, what does the law require. Starting January 1, 2004, all commercial e-mail (even if an existing business relationship exists and whether or not the e-mail was solicited or not) must contain a clear and conspicuous notice that a consumer can opt out of future e-mails and provide a web-based means to do so. A consumer’s request to opt out must be honored within 10 business days and marketers can’t sell or share the e-mail addresses of those who have opted out. The e-mail must also clearly identify itself as an advertisement—unless a consumer has specifically asked to receive commercial e-mail from a particular commercial entity. Third, the e-mail must contain a postal, physical address of the sender. Although it is not yet clear if a post office box is enough, the less-risky approach is to have a street address.

The Act has a number of other requirements related to labeling—for example, the subject (header) must accurately reflect the body or content of the message and the sender (the sponsor of the promotion) must be identified. Although the Act preempts state commercial e-mail laws, beware of the fact that state fraud, trespass and certain consumer protection laws can still apply.

Violations of the CAN-SPAM Act are criminal offenses and involve both fines and potential jail time upon conviction. As with most Federal crimes, aggravating factors increase the penalties and implementing good faith and reasonable measures to attempt to comply with the Act can lessen them. These penalties can be serious—jail-time of up to five years, $250 per e-mail up to $2 million in fines (which can be tripled up to $6 million if aggravating factors are present) and all computers and software used in the commission of the crime can be forfeit.

Although the primary purpose of Legal Bytes is to enlighten and inform you, it obviously does promote Rimon and encourages you to call us when you need legal support. Accordingly we will always give you the opportunity to opt out of receiving our publication by email and when we send you an e-mail, it will be clear as to what it is and who is sending it. This is not just the law, it’s good practice.