Case

Today, the Supreme Court in City of Ontario v. Quon, et al., decided not to address whether a city police officer had a reasonable expectation of privacy in text messages sent using an employer-provided pager. Rather than confront the issue, the Court declined to "elaborat[e] too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear." The Court also declined to "establish far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices." Instead, the Court assumed that the police officer had an expectation of privacy in text messages sent through his employer-provided phone, and found that the warrantless search of his text messages was reasonable.

On October 6, 2009, the FTC announced its second enforcement action under the EU Safe Harbor Program in four months.  Six companies that had certified in the EU Safe Harbor Program allowed their certifications to lapse, but continued to represent to their users and to the public that they were "Safe Harbor Certified."  Under the proposed settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party.

Before its first enforcement action, brought in July, 2009, the FTC had not enforced the EU Safe Harbor Program at all since its inception in 2000.  While many commentators had heretofor suggested that the would not enforce it, these new actions suggest a renewed FTC interest in ensuring that Program particpants actually follow the rules.

Read the official FTC press release here.

In the last two weeks, two courts--a New York state court and a federal court of appeals in Washington, D.C.--considered the issue of when to unmask anonymous online speakers. The New York state court considered the issue in the context of a pre-action discovery request and ordered Google to disclose the identity of an anonymous blogger so that a potential plaintiff could file a suit for defamation. The D.C. Circuit Court of Appeals considered what standard to require when presented with a motion to quash or enforce a subpoena seeking the identity of an anonymous defendant. These two cases represent the latest developments in the evolution of judicial rules governing the unmasking of anonymous online speakers.

In a decision issued on June 29, 2009 the Tenth Circuit held that a Web site advertising the sale of personal telephone records (1) committed an unfair practice in violation of the Federal Trade Commission Act; (2) that the Federal Trade Commission was authorized to enjoin; and (3) the Web site operator was not entitled to immunity under the Communications Decency Act.  F.T.C. v. Accusearch Inc., No. 08-8003, 2009 WL 1846344 (10th Cir. June 29, 2009).

Today, a federal judge dismissed all claims against communications providers who were alleged to have cooperated with the NSA in undertaking warrantless wiretapping in the United States, beginning soon after 9/11. The dismissal upheld Section 802 of the FISA Amendments Act (FAA), which Congress passed in July 2008 to provide complete retroactive immunity to any provider who did participate in the NSA program. Despite upholding immunity for providers, the court allowed lawsuits against the government to proceed. Although there may be appeals, this decision brings the lawsuits a considerable step closer to final conclusion. And as legal challenges to the FAA (or its predecessor, the Protect America Act) fail, providers who are subject to the enhanced surveillance provisions created under the FAA should be reassured about the Constitutionality and legality of new statutory obligations they are under.

Today, a federal judge dismissed all claims against communications providers who were alleged to have cooperated with the NSA in undertaking warrantless wiretapping in the United States, beginning soon after 9/11. The dismissal upheld Section 802 of the FISA Amendments Act (FAA), which Congress passed in July 2008 to provide complete retroactive immunity to any provider who did participate in the NSA program. Despite upholding immunity for providers, the court allowed lawsuits against the government to proceed. Although there may be appeals, this decision brings the lawsuits a considerable step closer to final conclusion. And as legal challenges to the FAA (or its predecessor, the Protect America Act) fail, providers who are subject to the enhanced surveillance provisions created under the FAA should be reassured about the Constitutionality and legality of new statutory obligations they are under.

Today, a federal judge dismissed all claims against communications providers who were alleged to have cooperated with the NSA in undertaking warrantless wiretapping in the United States, beginning soon after 9/11. The dismissal upheld Section 802 of the FISA Amendments Act (FAA), which Congress passed in July 2008 to provide complete retroactive immunity to any provider who did participate in the NSA program. Despite upholding immunity for providers, the court allowed lawsuits against the government to proceed. Although there may be appeals, this decision brings the lawsuits a considerable step closer to final conclusion. And as legal challenges to the FAA (or its predecessor, the Protect America Act) fail, providers who are subject to the enhanced surveillance provisions created under the FAA should be reassured about the Constitutionality and legality of new statutory obligations they are under.

Earlier this month, a court of appeals in California held that the republication of content originally posted on MySpace is not an invasion of privacy.  Moreno v. Hanford Sentinel Inc., 2009 WL 866795 (Cal. App. Ct. April 2, 2009).  In this case, the plaintiff sued her local newspaper after it republished a disparaging journal entry she wrote about her hometown and posted on MySpace.  The court of appeals dismissed the plaintiff's invasion of privacy claim and stated that no reasonable person would have an expectation of privacy after posting content on a popular Internet site.

A Pennsylvania federal court recently held that pictures of a private road and residence available on Google Maps do not give rise to common law claims for invasion of privacy, negligence, trespass or unjust enrichment.  Boring v. Google, Inc., No. 08-694, 2009 WL 383484 (W.D. Pa., Feb. 17, 2009).

In Party City Corp. v. Superior Court of San Diego County, the California Court of Appeals held that zip codes are not "personally identifying information" under California's Song-Beverly Credit Card Act.

The Western Washington District Court held that the receipt of unsolicited commercial email messages ("spam"), while "annoying", is not by-itself enough of a "significant adverse effect" to constitute a violation of the US CAN-SPAM Act.

On January 15, 2009, the Foreign Intelligence Court of Review affirmed an earlier classified opinion that denied a provider challenge to the warrantless surveillance provisions of the now-defunct Protect America Act.  The appellate court confirmed that providers who received warrantless "directives" have standing to challenge the directives on behalf of their customers; it held that an exception to the Fourth Amendment's warrant requirement permits collection of foreign intelligence pursuant to directives; and it found harmless the "incidental collection" of communications of Americans if an American were communicating with a targeted non-U.S. person who is overseas.

On December 11, 2008, the Federal Trade Commission issued a press release describing a one million dollar settlement with Sony BMG Music Entertainment over charges that it violated the Children's Online Privacy Protection Act (COPPA). The FTC based its charges, at least in part, on date of birth and other information collected on general audience sites not directed at children. The settlement matches the largest penalty ever assessed by the FTC for a COPPA violation in its action against Xanga.com.

This case stemmed out of a security breach at BJ's Wholesale Club. In violation of the Visa Operating Regulations, BJ's retained and stored the magnetic strip information on the back of its customers' cards instead of deleting the data immediately. Someone copied the information and used it to fraudulently obtain goods and services.

In Avila v Valentin-Maldonado, 2008 WL 747076 (D. Puerto Rico March 19, 2008), the court refused to dismiss plaintiffs' claim that defendants' surreptitious video surveillance of their locker-break room infringed upon their reasonable expectation of privacy secured by the Fourth Amendment.

The Ninth Circuit, sitting en banc, recently affirmed a three judge panel decision, holding that section 230 of the Communications Decency Act (“CDA”), 47 U.S.C. § 230, does not immunize a roommate-matching website from potential violations of the federal Fair Housing Act and California housing discrimination laws. Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, 2008 WL 879293 (9th Cir. April 3, 2008).

In Grabein v. 1-800-Flowers.com, Inc., No. 07-22235-CIV, 2008 WL 343179 (S.D.Fla. Jan. 29, 2008) the terms "print" and "point of [] sale," as used in the Fair and Accurate Credit Transaction Act (FACTA), were construed to encompass receipts for Internet sales in addition to traditional over-the-counter commercial transactions.

The operators of imbee.com, a social networking site specifically targeting kids and “tweens,” have agreed to settle Federal Trade Commission charges that their data-collection practices violated federal law.

In Mobilisa, Inc. v. Doe, 217 Ariz. 103, 170 P.3d 712 (2007), the Arizona Court of Appeals adopted a three-part test for use in determining when an anonymous internet poster's identity may be obtained.  Arizona joins New York, New Jersey, and California in formulating similar but different tests to determine when the identity of anonymous posters can be obtained.

An apparel company that collected sensitive consumer information and pledged to keep it secure has agreed to settle Federal Trade Commission charges that its security claims were deceptive and violated federal law. The order against Life is good, Inc. and Life is good Retail, Inc. bars deceptive claims about privacy and security policies and requires that the companies implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.

Apparently thinking that a strong offense was the best defense to copyright infringement claims for making copyrighted music available for sharing over the Internet, the defendant counterclaimed that the plaintiffs' (music and recording companies) investigation constituted trespass, computer fraud and invasion of privacy. The court granted Plaintiffs' motion to dismiss each of the above mentioned counterclaims.

In an order issued on September 18, 2007, United States Magistrate Judge Joan M. Azrack held that PCTDD may not be obtained with a pen register order. In the Matter of Application of the United States of America for Orders (1) Authorizing the Use of Pen Registers and Trap and Trace Devices and (2) Authorizing Release of Subscriber Information, 515 F. Supp. 2d 325 (E.D.N.Y. 2007). In so holding, Judge Azrack concurred with prior decisions from district courts in Texas and Florida. Id. at 327.

This case stemmed from the theft of computer servers containing hard drives with Tri-West’s customers’ personal information—including names, addresses, and social security numbers—during a burglary at Tri-West’s headquarters. Plaintiffs, Stollenwerk, DeGatica and Brandt. claimed that Tri-West negligently failed to secure the computers containing their personal information.

In CBC Distribution & Marketing, Inc. v. Major League Baseball Advanced Media, L.P., Nos. 06-3357/3358 (8th Cir. Oct. 16, 2007), the Eighth Circuit held that although the use of public information about Major League Baseball players on a fantasy baseball website met all the elements of a right of publicity claim, such use was protected by the First Amendment.

This case stemmed from criminals hacking into the computer systems of TJX and compromising the security of at lest 45,700,000 customer credit and debit accounts. Financial institutions brought suit seeking to recover their costs arising out of the resulting fraudulent transactions and the need to replace the compromised cards.

On July 27, 2007, the U.S. District Court for Massachusetts denied the Government's request for an order to obtain historical cell site information from a wireless carrier based upon the “specific and articulable facts” standard of Section 2703(d) of Title 18. Instead, the court held, that for it to issue an order compelling a telecommunication service provider to disclose historical cell site information to federal law enforcement agents, the Government must establish probable cause, as consistent with the requirements of Rule 41 of the Federal Rules of Criminal Procedure - in other words, the law enforcement agency must obtain a search warrant. Having chronicled the Magistrate's Revolt denying orders for prospective cell site information or tracking mobile phones on the “specific and articulable facts” standard of Section 2703(d), this is the first court to hold that probable cause is required for historical cell site information as well. The continued confusion in the courts and among service providers as to the proper standard for disclosure of location information underscores the need for legislative clarity.

Two recent data disposal cases serve as a fresh reminder to businesses of the need to ensure that proper destruction protocols are in place as part of an overarching cradle-to-grave data protection program. Effective data protection programs must sufficiently address not only the initial collection, use and disclosure of personal information but also effective procedures to properly store or dispose of personal information once it is no longer needed.

Seven insureds (“plaintiffs”) filed a class action against insurer ING Life Insurance and Annuity Company (“ING”) after a laptop containing the plaintiffs’ personal information was stolen from the home of an ING employee. Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2007). The court held that the plaintiffs lacked standing because they failed to provide evidence of any actual injury or loss. Id. at 7. An allegation of increased risk of identity theft due to stolen personal data, without more, is insufficient to demonstrate a cognizable injury. Id.

The 9th Circuit Court of Appeals determined that sections 2702 and 2707 of the Electronic Communications Privacy Act ("ECPA") do not permit an individual to sue an electronic communications service provider for aiding and abetting. The Court concluded that the language of the statute "identifies unambiguously who is subject to liability" and does not subject electronic communications service providers to this liability.

Lambert v. Hartmann, 2006 U.S. Dist. LEXIS 93926, No. 1:04cv837 (S.D. Ohio,  12/29/06).

The U.S. District Court for the Southern District of Ohio has held that an identity theft victim does not have a constitutionally protected privacy interest in her Social Security number. A woman whose Social Security number was recorded on a traffic ticket, such ticket posted on the Internet, was able to demonstrate identity theft resulting from the posting. The court held, however, that the constitutional right to privacy protects only interests that are deemed "fundamental or implicit in the concept of ordered liberty."  A Social Secrity number, disclosure of which might result only in harms such as identity theft, is not constitutionally protected.

UMG Recordings, Inc. and Bonzi Software, Inc. each have agreed to settle Federal Trade Commission charges that they violated the Children's Online Privacy Protection Act (COPPA) by knowingly collecting personal information from children online without first obtaining parental consent. UMG Recordings, which operates several hundred music-related Web sites, will pay civil penalties of $400,000, the largest civil penalty to date for a COPPA violation. Bonzi Software, distributor of the BonziBUDDY software, will pay civil penalties of $75,000.

6th Cir. Ct. of Appeals, No. 03-2012 (9/28/06)
In a case of apparent first impression, the U.S. Court of Appeals for the Sixth Circuit has held that the Cable Communications Policy Act does not apply to broadband Internet services provided by a cable provider. Under the Sixth Circuit's holding, the statute's privacy provisions do not prevent ISPs from collecting personally identifiable information about their users.

Defendant collected and maintained credit card, debit card, and checking account numbers and other confidential personal financial information of approximately 1.5 million customers who purchased merchandise at DSW retail outlets. Because of DSWs alleged improper retention and failure to secure this information, on or about March 2005 unauthoriz