The New York State Information Security Breach and Notification Act amends the State Technology Law (Section 208) and the General Business Law (Section 899-aa), and requires that any New York State entity, as well as any person or business conducting business in New York and who owns or licenses computerized data that includes private information, must disclose any breach to New York residents (New York State governmental entities must also notify non-residents). This is similar to well more than 30 other states that have data breach notification statutes. Did you also know that when notification is necessary, New York law requires notification to the Attorney General, the Office of Cyber Security & Critical Infrastructure Coordination, and the Consumer Protection Board? Did you know there’s a “New York State Security Breach Reporting” form? No company relishes the idea of having to deal with a compromise of sensitive customer data? And no company should have to worry about not having the right legal advice when dealing with their customers, regulators and law enforcement officials. Rimon has a Data Security Group that keeps track of these laws in the United States and throughout the world.
When NBC Universal broadcasts “Deal or No Deal,” viewers are invited to play a “Lucky Case Game.” The game allows viewers to pick one of six cases and submit their entry via premium text message ($.99) or online. If you pick the right case, you are entered in a random drawing for a prize of up to $100,000. Well, wouldn’t you know. Someone lost and sued NBC under Georgia’s gambling laws, which make gambling contracts void and states that any “money paid…upon a gambling consideration may be recovered from the winner by the loser” (Hardin v. NBC Universal). There are also actions pending before the California courts. Just a few weeks ago, the Georgia Supreme Court held that the $.99 was not a bet or wager, and there was no “gambling contract” between the plaintiffs and NBC. For now, and at least in Georgia, a premium text message game is permissible.
Last fall, a California court held that CMG, assignee of rights under Marilyn Monroe’s estate to exploit her image and likeness, had no rights because at the time of her death, there were no laws in either California or New York recognizing rights of publicity. Enter California’s legislature—amending its law to retroactively enact rights of publicity (See Legal Bytes, October 2007) to “remedy” this unfortunate state of affairs. Whoops. Not so fast. A judge in the U.S. District Court for the Central District of California has just ruled Marilyn Monroe was a New York resident at the time of her death in 1962, and pulled the plug on the recently amended California Right of Publicity law.
The FTC issued its Final Rule concerning certain aspects of the CAN-SPAM Act May 12, 2008. The Final Rule: (a) allows multiple marketers to designate an otherwise legally qualified entity as the single “sender” for purposes of compliance. The sender still must comply with the opt out, identification and other requirements of the Act, but no longer must be the entity that controls all the content or determines all the email addresses to which the message will be sent. In practice, this means only the designated sender (not the other marketers) needs to honor opt-out requests, and only the designated sender needs to have a physical address in the message; (b) prohibits conditioning an opt-out request on paying a fee or providing some personal information other than an email address; (c) allows senders to use a P.O. Box as the physical address if they have accurately registered the P.O. Box with the United States Postal Service; and (d) defines the word “person” to include business entities. As part of its ruling, the FTC also refused to change the amount of time (10 business days) a sender has to comply with an opt out request from an email recipient, and also rejected putting any time limits on how long an opt-out request from a recipient would remain valid and in effect.
This month we want to know what former Major League Baseball All Star Pitcher became a dentist once he finally left the game of baseball. Send your answer to me.
Our prize for last month goes to long-standing reader and Legal Bytes’ friend, Debbie Kaste, Director of Legal Operations Support for Hilton Hotels. She (very quickly and quite correctly) knew why so many children’s toy coin banks are in the shape of a pig. In Middle English, “pygg” referred to a dense type of orange clay used in Europe for making household jars, dishes and cookware. When people saved coins in kitchen pots and jars made of this clay, the jars became known as “pygg jars” and at some point in the 18th Century, some English potter misunderstood the word and starting making coin-collecting jars in the shape of a pig—hence the pig or “piggy” bank. By the way, it is still illegal in France to name a pig Napoleon.
“Obstacles don’t have to stop you. If you run into a wall, don’t’ turn around and give up. Figure out how to climb it, go through it, or work around it.”
The New York Appellate Division has ruled that an email exchange between two parties can amend a contract—even if the agreement specifically states amendments “must be in writing signed by both parties” (Arthur Stevens v. Publicis USA). Here, an employment agreement was the subject of emails between the parties. The court ruled that emails containing the name of the sender in a signature block are a “signed writing” sufficient to amend the contract! Ouch! It is not hard to imagine any email communication with all the elements of a meeting of the minds (“gee, that sounds perfect”), an intent to be bound (“I agree”) and authenticated as attributable to the parties—would fit the argument. Have you looked at your contracts lately? Your outgoing email messages? Our own Peter Raymond and John Webb argued and won this case for our client Publicis USA and have authored a Rimon Bulletin. Our ATM team is working with them to counsel clients on how best to protect themselves in light of this decision.
John Hines in our Chicago office is one of the authors of “Anonymity, Immunity and Online Defamation: Managing Corporation Exposures,” published in the Sedona Conference Journal and cited by the 7th Circuit. Earlier this month, the 9th Circuit rendered a decision many think may erode immunity accorded to ISPs, websites and services with defamatory content posted on their sites (Fair Housing Council v. Roommates.com). But did you know that last week, the New Jersey Supreme Court rendered a significant decision recognizing a privacy interest in subscriber data which may impact corporations’ ability to pierce anonymity (State v. Reid). John has authored a Rimon Bulletin noting this extraordinary decision, departing from U.S. Constitutional standards and holding that the right to privacy extends to subscriber data in the possession of an ISP. The case involves a company that gave local police the IP address, registered to Comcast, of an employee on leave who visited a company supplier’s website, making unauthorized changes. After she was indicted, lawyers moved to suppress the evidence, arguing that without a valid subpoena, the employee’s expectation of privacy barred Comcast’s disclosure. New Jersey agreed, expressly extending its State “Constitutional” right of privacy to subscriber data provided to ISPs, noting “[u]sers make disclosures to ISPs for the limited goal of using that technology and not to promote the release of personal information to others.” Given the state of technology, the “IP addresses cannot be matched to an individual user without the help of an ISP,” and users have a reasonable expectation of privacy. Although the ruling is in the context of a criminal case, it will likely present challenges for corporations pursuing civil remedies and seeking to pierce the anonymity of individuals responsible for defamation and other speech torts. John and a team of Rimon lawyers know this area—reach out to him.
This article was contributed by Adam Snukal, Esq.
Surfed the web lately? Seen a banner promoting a product, service or trip to Ireland you priced yesterday? Serendipity? Luck? Cookies? Yes, it’s those tiny files placed on your computer when you visit a website. Advertisers can now parse through cookies on your computer when you visit certain websites and instantaneously serve up advertisements based on your historical online behavior—“behavioral marketing.” For some, this is a great convenience. For others, like New York State Assemblyman Richard Brodsky, this is invasive and should be stopped unless the consumer has given consent.
Assemblyman Brodsky sees the acquisition of Doubleclick by Google as a step backward for consumers since the combined company could tap into a reservoir of consumer behavior and search data on an individual basis. So he introduced a bill aimed at restricting Internet behavioral marketing—The Third Party Internet Advertising Consumers’ Bill of Rights Act of 2008—that would prohibit advertisers from collecting and using sensitive, personally identifiable information from users online; require websites to clearly and conspicuously disclose behavioral policies and practices; give consumers the right to opt-out of profiling practices; prevent their online behavior from being collected and used to deliver targeted advertisements; and police how advertisers are permitted to merge and synthesize such information with other data (e.g., merging personally identifiable information collected offline with information collected online). Opponents—some of the largest interactive advertising and media companies—have voiced their opposition in a letter to Assemblyman Brodsky, noting, “Time after time, state laws that have attempted to impose this sort of broad Internet regulation have been struck down by the courts, doing nothing more than making taxpayers bear the expense both of defending the lawsuit and paying the successful plaintiffs’ attorneys fees.”