The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

California Legislature Passes Location Privacy Act

Yesterday, the California legislature passed the Location Privacy Act of 2012 (SB-1434) (the "Act).  The Act requires law enforcement to obtain search warrants before gathering GPS or other location-related data from a suspect’s cell phone that it may be transmitting.  The Act is now waiting signature by Governor Jerry Brown; however, he vetoed similar legislation last year.

The Act was sponsored by Sen. Leno (D-San Francisco), and supported by the ACLU of California and the Electronic Frontier Foundation.  The subject of warrantless GPS tracking continues to be a hot topic nationally.  Last week, the Sixth Circuit ruled that law enforcement can track the GPS signal coming from a suspect’s prepaid cell phone without a warrant in United States v. Skinner, No. 09-6497 (6th Cir. Aug. 14, 2012) .  In issuing the decision, the Court stated that "[t]here is no Fourth Amendment violation because Skinner did not have a reasonable expectation of privacy in the data given off by his voluntarily procured pay-as-you-go cell phone."

The California Senate also passed another privacy related bill earlier this week, which would prohibit colleges and universities from requiring access to students’ social media accounts.  The bill also moves to the Governor’s desk for signature.  A similar bill pending in the Assembly would provide similar protection to employees and job applicants as well.

Leave a comment

CFPB Announces Supervision of Credit Reporting Agencies

Monday, the Consumer Financial Protection Bureau ("CFPB") announced that it would begin to supervise credit reporting agencies.  According to the CFPB, this is the first time the consumer reporting agencies will be subject to a federal supervision program.  Formal supervision will start September 30, and on-site examinations will begin after that date.

According to the New York Times, the CFPB will oversee and make rules to cover about 30 credit reporting companies, which represent 94% of the $4 billion credit reporting market.  The CFPB’s supervision and rules will not only apply to the "big three" credit reporting agencies, Experian, Equifax, and TransUnion, but also to those with more than $7 million in annual revenue.

The CFPB also posted a list of consumer reporting agencies, which consists of companies that have identified themselves as consumer reporting companies or provide consumers access to their credit reports.  The CFPB made the announcement as part of it attempts to define the "larger participants" among consumer financial companies as part of its Dodd-Frank supervision authority.

Director Cordray’s full remarks are available here.  The CFPB also released a consumer advisory on checking credit scores.

Leave a comment

House Passes CISPA

Last week, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA).  CISPA would authorize Internet service providers and other companies to share customer communications and other personal information with governmental agencies.  The intent of the bill is to enhance information sharing for data security purposes, however, many organizations such as the Center for Democracy and Technology and the ACLU strongly oppose the bill, and President Obama has threatened to veto it.

Critics of CISPA state that the bill is overbroad and does not contain appropriate privacy, confidentiality or civil liberties safeguards.  According to the White House’s statement, "the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information."  For example, CISPA could allow companies to give email communications to the government with no judicial oversight if the emails contained cyber threat information.  Supporters argue that this information sharing is necessary in order to prevent cyber attacks.  Initially internet companies appeared to have supported the bill, although this week Mozilla announced its opposition to the bill and Microsoft has expressed concern over the bill’s impact on personal privacy.

In addition to privacy concerns, an interesting article on Slate had another take on CISPA – that it will effectively overwhelm the government with more data than it can handle, noting that "analyzing the world’s data to identify potential cyberthreats has gone from difficult to impossible.  The volume of digital information has become far too large." 

CISPA now moves to the Senate for consideration, where it will compete with at least two other cyber security bills.

Leave a comment

Oregon Supreme Court Holds Insufficient Injury to Allow Negligence Claim in Data Breach Suit

On February 24, the Oregon Supreme Court held that absent any allegations that stolen personal information was used or viewed by a third party, plaintiffs had not suffered an injury that would support a negligence claim or an action under Oregon’s Unlawful Trade Practices Act in Paul v. Providence Health System-Oregon. 

The breach at issue occurred in 2005, when an employee left disks and tapes containing medical records for 365,000 patients in the employee’s car and those disks and tapes were stolen.  Some of the records went back 20 years, and contained Social Security numbers and medical information.   In 2006, the defendant settled with the Oregon Attorney General and agreed to pay credit monitoring costs to affected patients for two years and over $95,000 to the Attorney General.  In 2007, the trial court granted the defendant’s motion to dismiss, taking into account that several plaintiffs had been at least partially compensated via the attorney general settlement, and holding that the plaintiffs’ claimed damages were premised on the risk of future injury rather than actual present harm.

Plaintiffs argued that they had suffered financial loss in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft.  They also argued that they had suffered damages by the emotional distress caused by the theft of the records.   The Supreme Court however found not only that there was no evidence that the plaintiffs had suffered any financial loss as a result of the breach, but also that there was no evidence that the records had ever been accessed or viewed.  The Court also noted that its decision to dismiss the claims were in line with many other decision by courts in other jurisdictions, such as Pisciotta v. Old Nat. Bancorp out of the Seventh Circuit and Ruiz v. Gap from the Ninth Circuit.



Leave a comment

FTC to Host Workshop on Advertising Disclosures Online and in Mobile Media May 30

Yesterday the Federal Trade Commission announced that it will host a day long workshop open to the public on May 30 to explore whether new guidance is needed for advertising disclosures made both online and in mobile media.  The workshop will address the Dot Com Disclosures and how potential revisions could illustrate clear and conspicuous disclosures in the online and mobile advertising environment.  The FTC started seeking input on how to revise the Dot Com Disclosures to account for changes in technology since the guidance was originally issued last year.  

Topics to be addressed include:

– How can effective disclosures be made in social media and on mobile devices, especially when space is limited for disclosures? 

– When can disclosures provided separately from an initial advertisement be considered adequate?

– What are available options when consumers use devices that do not allow downloading or printing terms of an agreement?

– How can short, effective and accessible privacy disclosures be made on mobile devices?

The FTC also seeks suggestions of topics of discussion and original research.  Requests and recommendations can be sent to  Additional information is available here.

Leave a comment

Most Claims Dismissed Against Heartland Payment Systems in Data Breach Litigation

Recently, a federal district court judge dismissed the majority of claims brought by financial institutions against Heartland Payment Systems ("HPS") as a result of its 2009 data breach.  The plaintiffs alleged that hackers obtained payment card numbers and expiration dates for approximately 130 million accounts as a result of the breach.  The plaintiffs were financial institutions that did not participate in the Visa or MasterCard settlements. 

U.S. District Judge Lee Rosenthal dismissed all claims except for the plaintiffs’ claim under the Florida Deceptive and Unfair Trade Practices Act.  HPS argued that the Act only applied to consumers, but Judge Rosenthal disagreed, noting that the Act was amended in 2001 to state “person” instead of “consumer."

Continue reading

Leave a comment

California Amends Song-Beverly Act

California recently amended its Song-Beverly Act (“Act”) to include a specific exception from its prohibition on collecting personal information during a credit card transaction. This exception allows collection of personal information (such as a zip code) by businesses in certain pay at the pump scenarios.   This law was filed with the Secretary of State on October 9, 2011, and went into effect immediately. This amendment was enacted as a result of the California Supreme Court’s decision in Pineda v. Williams Sonoma in February of this year. Our coverage of this decision can be found here.

Litigation continues in California in the aftermath of the Pineda decision. In August, the Superior Court of California, County of San Francisco, held that the prohibition on collecting and recording personal information under the Act did not apply to online transactions in Gonor v. Craigslist, concurring with an earlier federal court decision from 2009 (See Saulic v. Symantec Corp.)

Litigation has also been filed in other states that have laws similar to the Act. In Massachusetts, suit was filed against Michael’s stores in May. The plaintiff alleged that she made a purchase at a Michael’s store with her credit card, and provider her zip code during the sales transaction. She asserted that Michael’s then combined her zip code with other information to obtain her home address and sent her marketing materials. Plaintiff argues that this practice violates Mass. Gen Laws ch. 93 s. 105.

Similarly in New Jersey, suits have been filed in state and federal court regarding the collection of zip code at the point of sale. Plaintiffs argue that this practice violates NJSA 56:11-17. In September, a state court judge allowed a suit to move forward against Harmon Stores.  However, a federal judge came to the opposite conclusion about a week later and dismissed a class action based on this law.   For businesses that collect zip codes or personal information during credit card transactions, this issue will continue to be one to watch.