The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

San Francisco Chronicle reports on loss of their own data.

I read in my own hometown paper, the San Francisco Chronicle, that subscribers’ vacation hold data had been misappropriated by nefarious actors intent on using the start and stop dates to target burglaries. Of course, I had to browse all the way to page B-3 of the paper to read all about this.

Now, the Chron would argue that the kinds of data accessed – home addresses and vacation dates – isn’t the kind of data that requires a more formal notification. And they’re right. Most state legislatures intended to capture the kinds of data that would lead to identity theft and mandated formal notification for unlawful access to that data.

But common sense would indicate here that the subscribers the Chron has put into danger of burglary (and worse) deserve some kind of notification here. I’m not arguing that it should be legally required, but it seems like some notice, beyond just a short blurb buried deep in the paper, might be good customer service.

Leave a comment

Bank privacy policy constitutes part of bargained-for exchange where loan guarantor relied on policy in providing financial data

A bank’s privacy policy constituted part of a loan guarantor’s bargained-for exchange with the bank, where the guarantor alleges that he relied upon the policy in providing confidential financial information to the bank in connection with the guarantee. Meyer v. Christie, No. 07-2230, 2007 U.S. Dist. LEXIS 79285 (D. Kan. Oct. 24, 2007). The court declined to dismiss the guarantor’s breach of contract claim arising out of a bank officer’s alleged disclosure and mischaracterization of the guarantor’s financial information, rejecting the bank’s argument that its privacy policy was "nothing more than a mere unilateral statement of company policy." The court also rejected the bank’s argument that the contract claim based on its privacy policy failed for lack of consideration because the bank was required by the Gramm-Leach-Bliley Act to provide notice of the privacy policy to customers. The court noted that the provision of the Act relied upon by the bank only required it to disclose its privacy policies, but did not dictate the terms of those policies.