Case

The First Circuit Court of Appeals ruled recently that plaintiffs in a data breach class action have standing based on money spent for card replacement fees and identity theft insurance, because such expenses were a reasonably foreseeable result of a significant data breach where there was evidence that a criminal enterprise was responsible for the breach and had actually used stolen credit card numbers hundreds of times. Anderson v. Hannaford Bros. Co., --- F.3d ----, NO. 10-2384, 10-2450, 2011 WL 5007175 (1st Cir. October 20, 2011).

Last week, in an unpublished opinion, the Ninth Circuit vacated an Idaho district court's denial of a motion to compel production of the identities of four anonymous online speakers.  In SI03, Inc. v. Bodybuilding.com, the Ninth Circuit found that the district court should not have applied the rigorous standards of Doe v. Cahill and Dendrite where the nature of the speech--as core, protected speech or as less-protected, commercial speech--was unclear.  Rather, the district court should have conducted its own inquiry into the speakers' identities to "determine the nature of the speech at issue before settling on a standard for disclosure."

Last week, on June 23, 2011, the Vermont Supreme Court, in State v. Simmons, --- A.3d ----, 2011 WL 2474275, affirmed a trial court decision that applied the "settled Fourth Amendment precedent" that "internet users have no reasonable expectation of privacy in their subscriber information, the length of their stored files, and other noncontent data to which service providers must have access."  In addition to this interpretation of federal law, the Court also agreed with the trial court's conclusion that Vermont's Constitution "affords no privacy protection in an internet service provider's subscriber address or use information disclosing non-content data."

Today, the Supreme Court in City of Ontario v. Quon, et al., decided not to address whether a city police officer had a reasonable expectation of privacy in text messages sent using an employer-provided pager. Rather than confront the issue, the Court declined to "elaborat[e] too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear." The Court also declined to "establish far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices." Instead, the Court assumed that the police officer had an expectation of privacy in text messages sent through his employer-provided phone, and found that the warrantless search of his text messages was reasonable.

On October 6, 2009, the FTC announced its second enforcement action under the EU Safe Harbor Program in four months.  Six companies that had certified in the EU Safe Harbor Program allowed their certifications to lapse, but continued to represent to their users and to the public that they were "Safe Harbor Certified."  Under the proposed settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party.

Before its first enforcement action, brought in July, 2009, the FTC had not enforced the EU Safe Harbor Program at all since its inception in 2000.  While many commentators had heretofor suggested that the would not enforce it, these new actions suggest a renewed FTC interest in ensuring that Program particpants actually follow the rules.

Read the official FTC press release here.

In the last two weeks, two courts--a New York state court and a federal court of appeals in Washington, D.C.--considered the issue of when to unmask anonymous online speakers. The New York state court considered the issue in the context of a pre-action discovery request and ordered Google to disclose the identity of an anonymous blogger so that a potential plaintiff could file a suit for defamation. The D.C. Circuit Court of Appeals considered what standard to require when presented with a motion to quash or enforce a subpoena seeking the identity of an anonymous defendant. These two cases represent the latest developments in the evolution of judicial rules governing the unmasking of anonymous online speakers.

In a decision issued on June 29, 2009 the Tenth Circuit held that a Web site advertising the sale of personal telephone records (1) committed an unfair practice in violation of the Federal Trade Commission Act; (2) that the Federal Trade Commission was authorized to enjoin; and (3) the Web site operator was not entitled to immunity under the Communications Decency Act.  F.T.C. v. Accusearch Inc., No. 08-8003, 2009 WL 1846344 (10th Cir. June 29, 2009).

Today, a federal judge dismissed all claims against communications providers who were alleged to have cooperated with the NSA in undertaking warrantless wiretapping in the United States, beginning soon after 9/11. The dismissal upheld Section 802 of the FISA Amendments Act (FAA), which Congress passed in July 2008 to provide complete retroactive immunity to any provider who did participate in the NSA program. Despite upholding immunity for providers, the court allowed lawsuits against the government to proceed. Although there may be appeals, this decision brings the lawsuits a considerable step closer to final conclusion. And as legal challenges to the FAA (or its predecessor, the Protect America Act) fail, providers who are subject to the enhanced surveillance provisions created under the FAA should be reassured about the Constitutionality and legality of new statutory obligations they are under.

Today, a federal judge dismissed all claims against communications providers who were alleged to have cooperated with the NSA in undertaking warrantless wiretapping in the United States, beginning soon after 9/11. The dismissal upheld Section 802 of the FISA Amendments Act (FAA), which Congress passed in July 2008 to provide complete retroactive immunity to any provider who did participate in the NSA program. Despite upholding immunity for providers, the court allowed lawsuits against the government to proceed. Although there may be appeals, this decision brings the lawsuits a considerable step closer to final conclusion. And as legal challenges to the FAA (or its predecessor, the Protect America Act) fail, providers who are subject to the enhanced surveillance provisions created under the FAA should be reassured about the Constitutionality and legality of new statutory obligations they are under.

Today, a federal judge dismissed all claims against communications providers who were alleged to have cooperated with the NSA in undertaking warrantless wiretapping in the United States, beginning soon after 9/11. The dismissal upheld Section 802 of the FISA Amendments Act (FAA), which Congress passed in July 2008 to provide complete retroactive immunity to any provider who did participate in the NSA program. Despite upholding immunity for providers, the court allowed lawsuits against the government to proceed. Although there may be appeals, this decision brings the lawsuits a considerable step closer to final conclusion. And as legal challenges to the FAA (or its predecessor, the Protect America Act) fail, providers who are subject to the enhanced surveillance provisions created under the FAA should be reassured about the Constitutionality and legality of new statutory obligations they are under.

Earlier this month, a court of appeals in California held that the republication of content originally posted on MySpace is not an invasion of privacy.  Moreno v. Hanford Sentinel Inc., 2009 WL 866795 (Cal. App. Ct. April 2, 2009).  In this case, the plaintiff sued her local newspaper after it republished a disparaging journal entry she wrote about her hometown and posted on MySpace.  The court of appeals dismissed the plaintiff's invasion of privacy claim and stated that no reasonable person would have an expectation of privacy after posting content on a popular Internet site.

A Pennsylvania federal court recently held that pictures of a private road and residence available on Google Maps do not give rise to common law claims for invasion of privacy, negligence, trespass or unjust enrichment.  Boring v. Google, Inc., No. 08-694, 2009 WL 383484 (W.D. Pa., Feb. 17, 2009).

In Party City Corp. v. Superior Court of San Diego County, the California Court of Appeals held that zip codes are not "personally identifying information" under California's Song-Beverly Credit Card Act.

The Western Washington District Court held that the receipt of unsolicited commercial email messages ("spam"), while "annoying", is not by-itself enough of a "significant adverse effect" to constitute a violation of the US CAN-SPAM Act.

On January 15, 2009, the Foreign Intelligence Court of Review affirmed an earlier classified opinion that denied a provider challenge to the warrantless surveillance provisions of the now-defunct Protect America Act.  The appellate court confirmed that providers who received warrantless "directives" have standing to challenge the directives on behalf of their customers; it held that an exception to the Fourth Amendment's warrant requirement permits collection of foreign intelligence pursuant to directives; and it found harmless the "incidental collection" of communications of Americans if an American were communicating with a targeted non-U.S. person who is overseas.

On December 11, 2008, the Federal Trade Commission issued a press release describing a one million dollar settlement with Sony BMG Music Entertainment over charges that it violated the Children's Online Privacy Protection Act (COPPA). The FTC based its charges, at least in part, on date of birth and other information collected on general audience sites not directed at children. The settlement matches the largest penalty ever assessed by the FTC for a COPPA violation in its action against Xanga.com.

This case stemmed out of a security breach at BJ's Wholesale Club. In violation of the Visa Operating Regulations, BJ's retained and stored the magnetic strip information on the back of its customers' cards instead of deleting the data immediately. Someone copied the information and used it to fraudulently obtain goods and services.

In Avila v Valentin-Maldonado, 2008 WL 747076 (D. Puerto Rico March 19, 2008), the court refused to dismiss plaintiffs' claim that defendants' surreptitious video surveillance of their locker-break room infringed upon their reasonable expectation of privacy secured by the Fourth Amendment.

The Ninth Circuit, sitting en banc, recently affirmed a three judge panel decision, holding that section 230 of the Communications Decency Act (“CDA”), 47 U.S.C. § 230, does not immunize a roommate-matching website from potential violations of the federal Fair Housing Act and California housing discrimination laws. Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, 2008 WL 879293 (9th Cir. April 3, 2008).

In Grabein v. 1-800-Flowers.com, Inc., No. 07-22235-CIV, 2008 WL 343179 (S.D.Fla. Jan. 29, 2008) the terms "print" and "point of [] sale," as used in the Fair and Accurate Credit Transaction Act (FACTA), were construed to encompass receipts for Internet sales in addition to traditional over-the-counter commercial transactions.

The operators of imbee.com, a social networking site specifically targeting kids and “tweens,” have agreed to settle Federal Trade Commission charges that their data-collection practices violated federal law.

In Mobilisa, Inc. v. Doe, 217 Ariz. 103, 170 P.3d 712 (2007), the Arizona Court of Appeals adopted a three-part test for use in determining when an anonymous internet poster's identity may be obtained.  Arizona joins New York, New Jersey, and California in formulating similar but different tests to determine when the identity of anonymous posters can be obtained.

An apparel company that collected sensitive consumer information and pledged to keep it secure has agreed to settle Federal Trade Commission charges that its security claims were deceptive and violated federal law. The order against Life is good, Inc. and Life is good Retail, Inc. bars deceptive claims about privacy and security policies and requires that the companies implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.

Apparently thinking that a strong offense was the best defense to copyright infringement claims for making copyrighted music available for sharing over the Internet, the defendant counterclaimed that the plaintiffs' (music and recording companies) investigation constituted trespass, computer fraud and invasion of privacy. The court granted Plaintiffs' motion to dismiss each of the above mentioned counterclaims.

In an order issued on September 18, 2007, United States Magistrate Judge Joan M. Azrack held that PCTDD may not be obtained with a pen register order. In the Matter of Application of the United States of America for Orders (1) Authorizing the Use of Pen Registers and Trap and Trace Devices and (2) Authorizing Release of Subscriber Information, 515 F. Supp. 2d 325 (E.D.N.Y. 2007). In so holding, Judge Azrack concurred with prior decisions from district courts in Texas and Florida. Id. at 327.

This case stemmed from the theft of computer servers containing hard drives with Tri-West’s customers’ personal information—including names, addresses, and social security numbers—during a burglary at Tri-West’s headquarters. Plaintiffs, Stollenwerk, DeGatica and Brandt. claimed that Tri-West negligently failed to secure the computers containing their personal information.

In CBC Distribution & Marketing, Inc. v. Major League Baseball Advanced Media, L.P., Nos. 06-3357/3358 (8th Cir. Oct. 16, 2007), the Eighth Circuit held that although the use of public information about Major League Baseball players on a fantasy baseball website met all the elements of a right of publicity claim, such use was protected by the First Amendment.

This case stemmed from criminals hacking into the computer systems of TJX and compromising the security of at lest 45,700,000 customer credit and debit accounts. Financial institutions brought suit seeking to recover their costs arising out of the resulting fraudulent transactions and the need to replace the compromised cards.

On July 27, 2007, the U.S. District Court for Massachusetts denied the Government's request for an order to obtain historical cell site information from a wireless carrier based upon the “specific and articulable facts” standard of Section 2703(d) of Title 18. Instead, the court held, that for it to issue an order compelling a telecommunication service provider to disclose historical cell site information to federal law enforcement agents, the Government must establish probable cause, as consistent with the requirements of Rule 41 of the Federal Rules of Criminal Procedure - in other words, the law enforcement agency must obtain a search warrant. Having chronicled the Magistrate's Revolt denying orders for prospective cell site information or tracking mobile phones on the “specific and articulable facts” standard of Section 2703(d), this is the first court to hold that probable cause is required for historical cell site information as well. The continued confusion in the courts and among service providers as to the proper standard for disclosure of location information underscores the need for legislative clarity.

Two recent data disposal cases serve as a fresh reminder to businesses of the need to ensure that proper destruction protocols are in place as part of an overarching cradle-to-grave data protection program. Effective data protection programs must sufficiently address not only the initial collection, use and disclosure of personal information but also effective procedures to properly store or dispose of personal information once it is no longer needed.

Seven insureds (“plaintiffs”) filed a class action against insurer ING Life Insurance and Annuity Company (“ING”) after a laptop containing the plaintiffs’ personal information was stolen from the home of an ING employee. Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2007). The court held that the plaintiffs lacked standing because they failed to provide evidence of any actual injury or loss. Id. at 7. An allegation of increased risk of identity theft due to stolen personal data, without more, is insufficient to demonstrate a cognizable injury. Id.

The 9th Circuit Court of Appeals determined that sections 2702 and 2707 of the Electronic Communications Privacy Act ("ECPA") do not permit an individual to sue an electronic communications service provider for aiding and abetting. The Court concluded that the language of the statute "identifies unambiguously who is subject to liability" and does not subject electronic communications service providers to this liability.

Lambert v. Hartmann, 2006 U.S. Dist. LEXIS 93926, No. 1:04cv837 (S.D. Ohio,  12/29/06).

The U.S. District Court for the Southern District of Ohio has held that an identity theft victim does not have a constitutionally protected privacy interest in her Social Security number. A woman whose Social Security number was recorded on a traffic ticket, such ticket posted on the Internet, was able to demonstrate identity theft resulting from the posting. The court held, however, that the constitutional right to privacy protects only interests that are deemed "fundamental or implicit in the concept of ordered liberty."  A Social Secrity number, disclosure of which might result only in harms such as identity theft, is not constitutionally protected.

UMG Recordings, Inc. and Bonzi Software, Inc. each have agreed to settle Federal Trade Commission charges that they violated the Children's Online Privacy Protection Act (COPPA) by knowingly collecting personal information from children online without first obtaining parental consent. UMG Recordings, which operates several hundred music-related Web sites, will pay civil penalties of $400,000, the largest civil penalty to date for a COPPA violation. Bonzi Software, distributor of the BonziBUDDY software, will pay civil penalties of $75,000.

6th Cir. Ct. of Appeals, No. 03-2012 (9/28/06)
In a case of apparent first impression, the U.S. Court of Appeals for the Sixth Circuit has held that the Cable Communications Policy Act does not apply to broadband Internet services provided by a cable provider. Under the Sixth Circuit's holding, the statute's privacy provisions do not prevent ISPs from collecting personally identifiable information about their users.

Defendant collected and maintained credit card, debit card, and checking account numbers and other confidential personal financial information of approximately 1.5 million customers who purchased merchandise at DSW retail outlets. Because of DSWs alleged improper retention and failure to secure this information, on or about March 2005 unauthorized persons obtained access to and acquired the information of approximately 96,000 customers. Plaintiff’s amended complaint alleges several tort and contract claims against DSW and states that plaintiff has been subjected to a substantial increase in her risk of identity theft and other related financial crimes.

Social networking Web site operators Xanga.com, Inc. and its principals, Marc Ginsburg and John Hiler, will pay a $1 million civil penalty for allegedly violating the Children’s Online Privacy Protection Act (COPPA) and its implementing Rule, under the terms of a settlement with the Federal Trade Commission announced today.

In Giordano v. Wachovia Sec., LLC, 2006 WL 2177036 (D. N.J. July 31, 2006), the plaintiff filed suit against Wachovia Securities, LLC (“Wachovia”) after her personal and financial information was lost in the mail. The four-count complaint alleged (1) negligence, (2) invasion of privacy, (3) breach of the duty of confidentiality, and (4) conversion stemming from the loss of the plaintiff’s personal and financial information. Id. at *1. Because the district court found that the plaintiff did not suffer an injury-in-fact and, therefore, lacked standing to bring a claim in federal court, it remanded the case to state court. Id. at *5.

This case stemmed from a data security breach in which personal financial information maintained on a computer network by DSW—including customers’ credit and debit card numbers, along with the corresponding name to those cards, and checking account numbers and drivers' license numbers provided by check writers—was compromised by an unauthorized third party. The compromised information included the numbers and names associated with approximately 1,438,281 credit and debit cards and 96,385 checking account numbers and drivers’ license numbers.

In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law.

Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws.

430 F.3d 457 (D.C. Cir. 2005)
D.C. Circuit holds that Federal Trade Commission (FTC) could not apply certain privacy rules, pursuant to the Gramm-Leach-Bliley (GLB) Act, to attorneys engaged in the practice of law.

Shoe discounter DSW Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data was an unfair practice that violated federal law.

Dist. Ct. Tex. (Travis Cty.) (filed Nov. 21, 2005)
Texas attorney general sued Sony BMG concerning its music compact discs, which require customers to download Sony's media players to listen to the CDs on a computer. The complaint alleged the software included with the media player made users vulnerable to viruses and other problems, in violation of Texas's Consumer Protection Against Computer Spyware Act.

379 F.Supp.2d 299 (E.D.N.Y. 2005)
In a multidistrict consolidated class action, customers sued airline JetBlue for disclosing Passenger Name Records (PNRs) to the Department of Defense (DOD) in violation of the Electronic Communications Privacy Act of 1986 (ECPA) and New York law, and alleging breach of contract. JetBlue had a privacy policy which represented that financial and personal information collected by JetBlue would not be shared with third parties.

No. CGC-05-442624 (Cal. Super. Ct. (San Francisco) filed Jun. 27, 2005) (class action)
Consumers filed class action lawsuit against CardSystems Solutions, Visa and MasterCard alleging the companies neglected to adequately protect credit card systems from security breach, and failing to inform customers in a timely manner about a particular security breach. During April, intruders obtained access to CardSystems' database of information concerning 40 million credit cards.

2005 WL 2452798 (E.D. Cal.)
U.S. District Court
The U.S. District Court for the Eastern District of California ruled that federal law preempts a state statute that restricts the ability of financial institutions to share customer information with their affiliates unless they give consumers an opportunity to opt out of permitting such uses.

BJ’s Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law.

2005 WL 2365255 (W.D. Tenn. 2005)
Arising from largely the same facts as those in Dyer v. Northwest Airlines Corp., 334 F.Supp.2d 1196 (D.N.D. 2004), customers filed a class action suit against Northwest, alleging Northwest's disclosure of personal information to the National Aeronautical and Space Administration (NASA) violated the Electronic Communications Privacy Act (ECPA) and Tennesee's Consumer Protection Act.

Case No. 8C329115 (Cal. Sup. Ct. filed Feb. 18, 2005) (class action)
Plaintiffs filed class action suit against data broker ChoicePoint, arising from the theft of names, Social Security numbers, driver's license numbers, and credit and contact information. They allege ChoicePoint failed to adequately secure and maintain this information, implement adequate security measures, misrepresented the company's security measures and ability to secure the information, and failure to timely disclose breaches of the security measures to affected customers.

Petco Animal Supplies, Inc., a national seller of pet food, supplies, and services, has agreed to settle Federal Trade Commission charges that security flaws in its www.PETCO.com Web site violated privacy promises it made to its customers and violated federal law.

334 F. Supp. 2d 1196 (D. N.D. 2004)
D. N.D.
A federal district court held that airline was not an "electronic communications service" provider under the Electronic Communications Privacy Act (ECPA), because the term does not include businesses offering their traditional products and services through a website, like an airline. The court also held that the airline's privacy policy posted on its website did not constitute a "contract," and thus could not give rise to actionable claims of breach.

No. 0:04-cv-00126-PAM-JSM, Doc. 30 (D. Minn. Jun. 6, 2004) (class action)
A federal district court held that: (1) airline was "simply not an electronic communications service provider, and therefore cannot violate § 2702" of the Electronic Communications Privacy Act (ECPA); (2) ECPA § 2701 did not apply, as alleged, since the section applies to improper access to an electronic communications service, whereas airline improperly disclosed information; (3) Northwest did not violate the Fair Credit Reporting Act because airline was not a "consumer reporting agency" subject to the act's provisions; (4) plaintiffs' claims under Minnesota Deceptive Trade Practices Act were preempted by federal Airline Deregulation Act. Without notifying its customers, Northwest provided names, addresses, credit card numbers, and itineraries of numerous passengers to a third party (the National Aeronautical and Space Administration).

MTS, Inc., and Tower Direct, LLC, (“Tower”) have agreed to settle Federal Trade Commission charges that a security flaw in the Tower Web site exposed customers’ personal information to other Internet users, in violation of Tower’s privacy policy representations and federal law.

352 F.3d 107 (3rd Cir. 2003)
Court of Appeals
The 3rd Circuit Court of Appeals ruled that an employer's decision to search through an employee's email does not violate the Electronic Communications Privacy Act (ECPA) since ECPA bans an "interception" only if it occurs at the time of transmission and exempts the owner of an e-mail system from any claim alleging an illegal "seizure" of stored e-mail. In this case, since Richard Fraser's emails were stored on Nationwide's system, any search by the company was authorized by an express exemption in the federal ECPA for e-mail service providers.

341 F.3d 978 (9th Cir. Aug. 2003)
Federal Circuit
Plaintiff brought a civil suit against Farey-Jones based on the Defendant's use of a subpoena to get copies of the Plaintiff's emails. The District court dismissed the case on grounds that no federal act protected the Plaintiff.

276 F. Supp. 2d 110 (D.C. 2003)
Federal
The Federal Trade Commission had issued a ruling stating that, for purposes of the Gramm-Leach-Bliley Act, attorneys would be considered financial institutions if they provided services relating to real estate settlements, tax planning and tax preparation. The American Bar Association and New York State Bar Association both filed complaints challenging the FTC ruling.

355 S.C. 329 (S.C. 2003)
The Supreme Court of South Carolina heard a case brought by victims of identity theft who were suing credit card companies, who had issued credit cards to imposters, for negligence. The court held that South Carolina does not recognize a tort of negligent enablement of imposter fraud, and stated that the relationship between the companies and the victims was too remote.

settled (2003)
NY
Netscape has reached an agreement with New York Attorney General Eliot Spitzer over information collected through an early version of its SmartDownload software. Th software created a profile that was transmitted to Netscape and contained the Internet addresses of the SmartDownload users.

In the FTC's third case targeting companies that misrepresent the security of consumers' personal information, designer clothing and accessory marketer Guess, Incorporated has agreed to settle Federal Trade Commission charges that it exposed consumers' personal information, including credit card numbers, to commonly known attacks by hackers, contrary to the company's claims.

charged (2003)
Federal
A california man has been charged by federal authorities for hijacking Al Jazeera's website during the Iraq war and directing it to a web page that displayed an American flag. Racine also intercepted approximately 300 email messages intended for Al Jazeera.

279 F.Supp. 2d 1118 (N.D.C.A. 2003)
Federal
Bank of America challenged Daly City's ordinance requiring banks to obtain their customer's consent before sharing any information about the customer with any of the bank's affiliates or any third parties. The court ruled that the ordinances were preempted by federal law as to sharing information with affiliates, but were valid to the extent they required banks to obtain customers consent to share information with third parties.

Mrs. Fields Cookies and Hershey Foods Corporation have each agreed to settle Federal Trade Commission charges that their Web sites violated the Children's Online Privacy Protection Act (COPPA) Rule by collecting personal information from children without first obtaining the proper parental consent. Mrs. Fields will pay civil penalties of $100,000 and Hershey will pay civil penalties of $85,000.

Columbian Constitutional Court (Columbia, 2003)
Foreign
The Columbian Constitutional Court ruled that allowing access to personal information kept by public instituions on websites infringes on an individual's personal rights. The plaintiff filed suit against various government ministries for allowing public access to an individual's property and social security records through a government website.

No. 01-CV-1101(D.C. 2002)
Federal
A court upheld a forum selection clause in an Internet Service Access Agreement. Plaintiff filed a class action suit against Verizon in the District of Columbia Superior Court alleging breach of contract, negligent misrepresentation and violation of Virginia's consumer protection laws.

No. 01-5202 (D.C. Cir. 2002)
Federal
The D.C. Court of Appeals upheld a lower court decision regarding the Gramm-Leach-Bliley Act (GLBA). Trans Union LLC had challenged the privacy provisions of GLBA on various grounds, including that the GLBA violated the First Amendment.

292 F.Supp.2d 263 (D. Mass. 2003); 329 F.3d 9 (1st Cir. 2003); 220 F. Supp. 2d 4 (D. Mass 2002);CA No. 00-11672-JLT (D. Mass. 2002)
Federal
A federal court dismissed a class action privacy lawsuit against several pharmaceutical companies and the company they had contracted with to monitor their website traffic. The plaintiffs filed suit alleging that the companies had violated their privacy by collecting and tracking personal information and email gleaned from their computers through the use of cookies.

FTC File No. 012 3240
F.T.C.
Microsoft agreed to settle a FTC investigation into its Passport Internet Service. Responding to a formal complaint by privacy groups, the FTC determined that Microsoft had made deceptive claims and misrepresented the security and privacy of Passport Internet Services.

Microsoft Corporation has agreed to settle Federal Trade Commission charges regarding the privacy and security of personal information collected from consumers through its "Passport" web services.

Ill. App. Ct., 1st Dist., Nos. 1-01-0480, 5/31/02
IL
An Illinois state court ruled on the applicability of the Federal Warranty Act, 15 USC sec. 2301. Purchasers of Gateway computers filed suit against Gateway seeking to have various defects in the computers repaired.

N.Y. App. Div., No. 2000-8199, 4/15/02
NY
A New York appellate court dismissed a class action lawsuit concerning privacy. A class of credit card and mortgage holders sued Chase Manhattan for selling their consumer information to non-affiliated third party vendors without their consent.

The FTC announced today that the Ohio Art Company, manufacturer of the Etch-A-Sketch drawing toy, will pay $35,000 to settle charges brought by the FTC that it violated the Children's Online Privacy Protection Rule by collecting personal information from children on its www.etch-a-sketch Web site without first obtaining parental consent.

(S.D.N.Y. 2002)
Federal
Doubleclick has agreed to a preliminary settlement agreement that would resolve a number of class action lawsuits for violating consumers' privacy. Under the settlement agreement, DoubleClick has agreed to the following: to initiate a consumer privacy education campaign; to provide clear notice and choice of data collection practices in its privacy policy; to obtain consumer consent before combining personally identifiable data with web surfing history; to add a 5 year expiration on cookies served to consumers, and submit to an independent audit to ensure compliance with the terms of the settlement.

No. 19304-7-III (Wash. Ct. App. 2001)
WA
A Washington Appellate Court affirmed a conviction for second degree rape of a child. The defendant appealled the lower court's decision to admit into evidence copies of email messages between himself and a police officer posing as a 13 year old girl.

No. 00-20926 (5th Cir. 2002)
Federal
The Fifth Circuit upheld a city employee's conviction for possession of child pornography. Slanina was the Fire Chief of Webster, Texas.

Case No. 01-6097 (10th Cir. 2002)
Federal
The Tenth Circuit Court of Appeals affirmed a lower court's refusal to suppress images of child pornography seized from the defendant's Oklahoma State University computer. Professor Angevine used his university owned computer to download pornographic images of children.

Case No. 00-3299 (7th Cir. 2002)
Federal
Plaintiff Muick sued his former employer, Glenayre Electronics for violating his right to privacy based on the Fourth Amendment. Federal authorities were investigating Muick for violating federal child porography laws.

306 F.3d 17 (2th Cir. 2002); 150 F. Supp. 2d 585 (S.D.N.Y. 2001)
Federal
The federal court ruled on the enforceability of an arbitration provision included in a license agreement for downloading software. The Plaintiffs alleged that Netscape was collecting personal information about them in violation of federal law.

The FTC announced today that the American Popcorn Company ("APC") settled charges that it violated the Children's Online Privacy Protection Act ("COPPA").

Filed (Vermont, 2002)
VT
Insurance industry trade groups have filed suit against the State of Vermont over the state's new financial privacy regulations. Vermont's new regulations provide even greater financial privacy protection than the Gramm-Leach-Bliley Act of 1999.

High Court (United Kingdom, 2002)
Foreign
The High Court ruled on a challenge to the sharing of personal information on an electoral register. Plaintiff Robertson sued his local election authority over the disclosure of personal information on the electoral register.

(Settled)
F.T.C.
Eli Lilly has agreed to settle FTC charges relating to the unauthorized disclosure of personal information collected from consumers through its website. Eli Lilly manufactures and sells drugs, including Prozac.

Eli Lilly and Company (Lilly) has agreed to settle Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Prozac.com Web site.

Settled ( 2001)
Federal
Toysrus.com, the online arm of Toys "R" Us signed a consent decree agreeing to pay $50,000 in fines to head off a potential lawsuit by the State of New Jersey alleging that it shared customers' personal information.

135 F. Supp. 2d 623 (E.D. Pa. 2001)
Federal
A federal court held that the federal and Pennsylvania Wiretap Acts and Stored Communications Acts do not apply to the retreival of email messages from post-transmission storage. Plaintiff Fraser worked as an insurance agent for the defendant Nationwide Mutual Insurance Company.

266 F.3d 64 (2d Cir. 2001)
Federal
The Second Circuit affirmed a lower court decision that found an employee's right to privacy had not been violated when his work computer was searched for unauthorized programs. Department of Transportation investigators, after receiving an anonymous tip that a certain employee was neglecting his duties, printed out a list of file names from plaintiff Leventhal's computer.

(Canada 2001)
Foreign
The federal privacy comissioner of Canada issued his first decision under the Personal Information Protection and Electronic Documents Act (PIPEDA), ruling that the use of street surveillance cameras by the city of Yellowknife was illegal. PIPEDA prohibits organizations from the collecting or disclosing personal information without first providing notice and obtaining the individual's consent.

Arret No. 41-6410/2/01 (France 2001)
Foreign
The Supreme Court of France struck down a lower court ruling and decided that employers do not have the right to read their employees' emails or other electronic records. The suit involved Frederic Onos, who was fired by Nikon France after the company discovered through reading his emails that he had been using company equipment to perform unauthorized freelance activities.

Privacy Commissioner of Canada (Canada, 2001)
Foreign
The Privacy Commissioner of Canada ruled that physician prescribing habits do not constitute personal information under Canada's new privacy legislation.

The FTC announced today that Lisa Frank, Inc., a popular girls' toys and school supplies manufacturer that operates a website that markets Lisa Frank products to children will pay $30,000 in civil penalties to settle FTC charges that it violated the Children’s Online Privacy Protection Rule (COPPA Rule) and the FTC Act.

2001 U.S. Dist. LEXIS 17503 (W.D. Wash. 2001)
Federal
Plaintiffs filed a suit alleging that Avenue A had placed a "cookie" on the plaintiffs'computers, permitting the defendant to monitor the plaintiffs' electronic communications without their knowledge. The court held that the plaintiffs had failed to satisfy the minimum $5000 damage requirement of the Computer Fraud and Abuse Act.

2001 U.S. Dist. LEXIS 17020 (N.D. Cal. 2001)
Federal
Plaintiff filed suit alleging that Amazon and Cybersource violated the The Federal Wiretap Act and the Electronic Communications Privacy Act (ECPA). Crowley purchased goods from Amazon's website.

(Santa Clara County Superior Court, 2001)
CA
The Santa Clara County Superior Court refused a subpoena request by Pre-Paid Legal Services seeking the names of eight people who had anonymously posted messages critical of Pre-Paid on a message board. Pre-Paid claimed they were seeking the identities to determine if any of the anonymous postings came from former employees who are subject to a court injunction not to discuss company activities.

2001 ABCA 181 (Canada, 2001)
Foreign
The Alberta Court of Appeals upheld a trial court's decision concerning evidence provided to the police by the defendant's Internet service provider. During the course of a repair of Weir's mailbox, the ISP discovered attachments to email messages that contained child pornography.

FTC Ruling, (May 25, 2001)
F.T.C.
The FTC decided not to take action against Amazon.com and its subsidiary Alexa Internet. The ruling stems from complaints that Alexa, which produces a web browser plug in that assists users find websites that match their interests, was collecting personally identifiable information.

Complaint filed with FTC (May 25, 2001)
F.T.C.
The Electronic Privacy Information Center (EPIC) filed a complaint with the FTC against eTour.com for selling customer's personal information to the online query site AskJeeves.

FTC ruling (2001)
F.T.C.
The FTC ruled that Amazon did not violate federal law prohibiting unfair and deceptive trade practices. Amazon altered its privacy policy to allow it to share customer data with other companies so long as the customer did not object to the practice.

145 F. Supp. 2d 6 (D.D.C. 2001)
Federal
Defendant's motion was granted after finding that the regulations promulgated by the Federal Trade Commission to implement Title V, Subtitle A of the Gramm-Leach-Bliley Act, was neither unlawful nor unconstitutional. The Gramm-Leach-Bliley Act addresses the responsibility of financial institutions to protect the privacy of the personal financial information of their customers.

140 F. Supp. 2d 1088 (W.D. Wash. 2001)
Federal
John Doe moved to quash a subpoena issued by 2TheMart.com to Silicon Investor/InfoSpace (InfoSpace). The subpoena was sought as a part of a shareholder derivative class action in which 2TheMart.

The FTC announced a settlement today with Girl's Life, Inc. and Monarch Services, Inc., operators of girlslife.com; Looksmart, Ltd., which operates a free online message boards; and Bigmailbox.com, Inc., which offered a free email service through its website and numerous other websites, including websites directed to children.

2001 U.S. App. LEXIS 6241 (D.C. Cir. 2001)
Federal
The US appeals court in Washington DC has affirmed a district court ruling forcing Trans Union Corporation to stop selling marketing lists based on credit reports. Ten years ago the FTC ordered Trans Union and others to stop selling these credit reports pursuant to the Fair Credit and Reporting Act.

138 F. Supp. 2d 1272 (C.D. Cal. 2001)
Federal
Plaintiffs alleged that Intuit violated their privacy by collecting personal information about them through the use of "cookies" that Intuit planted on the defendants' computers when they visited the Intuit website www.quicken.

filed (D. Md. 2001)
Federal
Bank of America has been charged with violating the Fair Credit Reporting Act (FCRA). Specifically the lawsuit alleges the bank purchased credit reports it did not need and proceeded to sells these reports to entities that had no previous relationship with the bank.

1999 U.S. Dist. LEXIS 20204 (D.N.J. 1999)
Federal
Users searching the Internet for plaintiff's Stacker 2 weight loss drug were directed via embedded metatags to sites offering defendant's competing Xenical drug, although sites were operated by third parties (often through anonymous hosts). Judge dismissed Hoffman-La Roche as defendant, but issued order barring third parties from incorporating the Stacker 2 trademark in their sites.

Docket No.: 18830-2-III (Wash Ct. App. 2000)
WA
Spokane County responded to a request for release of public documents relating to a wrongful discharge claim filed by Gina Tiberino.

No. 00 CH 17405 (Ill. Cir. Ct., Cook Cty., filed Dec. 5, 2000).
IL
Cook County State's Attorney Richard Devine filed suit against Clearstation and Doubleclick alleging that the sites are misrepresenting their cookie policy and compromising consumer privacy rights. Devine contends that while Clearstation's investment analysis web site claims that long-term cookies will not be used, the site uses cookies for up to one year and fails to disclose the use of cookies by third party advertisers in its privacy policy.

Texas, filed Sept. 25, 2000
TX
The parties settled within an hour after the Texas attorney general's office filed suit to enjoin failed Internet furniture store Living.com from selling customer information.

New Hampshire, Sept. 2000
NAF
A parent of students in New Hampshire's Exeter School District is suing for disclosure of records showing the student's web site visits on school computers. The District argues such disclosure violates the Electronic Communication Act of 1986 and privacy while plaintiff argues school computer users have no privacy expectations.

filed (D. Cal. 2000)
Federal
Plaintiff Jim A. Darby is suing a Boston-based company that monitors consumer activity on pharmaceutical web sites. Darby's suit seeks unspecified damages and alleges that the defendant is violating the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act.

Miami-Dade Circuit Court, filed Aug., 2000
FL
Part of an action against an anonymous Yahoo! user who posted claims revealing allegedly inside information against the plaintiff. Sports Authority is demanding that Yahoo! provide documents that may lead to the poster's identity, whom Sports Authority suspects to be one of its employees.

Resolving the first case enforcing the Children's Online Privacy Protection Act, the FTC today announced a settlement with Toysmart.com.

Civ. 00-11341-RGS (D. Mass., filed July 10, 2000)
Federal
The FTC filed suit against failed Internet toy store, Toysmart.com for violation of its own privacy policy stating that personal information would never be shared with third parties.

S.D.N.Y., filed June 30, 2000
Federal
Class action suit accuses Netscape, an AOL subsidiary is violating the Electronic Communications Privacy Act and the Computer Fraud and abuse Act. The suit alleges that Netscape tracks internet user activity through the use of its SmartDowload software program, allowing Netscape to secretly monitor downloads of .

No. C00-0221P (W.D. Wash., Apr. 19, 2000)
Federal
Class action alleges that Alexa software, downloaded and used by the class, allows Alexa and its distributor, Amazon to acquire personal information about users in violation of their privacy rights under the Electronic Communications Privacy Act. The court rejected Amazon's argument that each plaintiff must prove his or her understanding of the privacy policy in order to establish that the defendants acted without authorization under ECPA.

No. 99 C 6926 (E.D. Ill., May 16, 2000)
Federal
The Northern District of Illinois held that personal jurisdiction is proper over an Irish retailer using the Crate & Barrel name. Although the court refused to assert general jurisdiction, it noted the high level of interactivity on the defendant's website, which included an online catalog and allowed online ordering.

No. 2:00cv04993 (C.D. Cal., filed May 11, 2000)
Federal
Plaintiff charged Yahoo! with violating his constitutional and contractual rights to privacy. According to the complaint, plaintiff posted comments that criticized his employer on a Yahoo! message board using a pseudonym, with the expectation that under Yahoo!’s privacy policy, Yahoo! would not disclose his identity to any third party.

No. 00CV 2629 (N.D. Ill. filed May 10, 2000)
Federal
Class action complaint alleges that defendant violated the Electronic Communications Privacy Act and other federal statutes by surreptitiously compiling plaintiffs’ confidential information for its own use and/or transferring confidential information to third parties. Case was transferred from the Western District of Washington.

No. CV-00-00026-(Misc) MHP (N.D. Cal., Apr. 24, 2000)
Federal
On an issue of first impression, the U.S. District Court for the Northern District of California refused to compel Netscape to reveal the identity of two e-mail account holders, based on its reading of the 1986 Electronic Communications Privacy Act

No. 4:99 CV 1633 DDN (E.D. Mo., Apr. 13, 2000)
Federal
The defendant's website, which did not allow orders to be placed but was ultimately intended to was not sufficient contact with Missouri to allow the exercise of personal jurisdiction. Although the court noted that in Maritz v.

S.D.N.Y., filed April 11, 2000
Federal
The operator of an online chat service filed suit against an anonymous person who had been entering the company's chat rooms and posting obscene messages allegedly intending to harass others. The operator invoked a surviving portion of the Communications Decency Act prohibiting the use of a telecommunications device to transmit obscene , lewd, or indecent comments with the intent to annoy or harass another.

Adopted Apr. 4, 2000
Foreign
Legislation will require Canadian companies, including ISPs, to obtain affirmative consent from customers before providing their personal information to third parties. The bill takes effect on January 1, 2001.

N.D. Cal., filed Apr., 2000
Federal
The court lifted a temporary restraining order barring Yahoo! from blocking a subscriber's email account access for refusal to provide credit card information. The court held that verifying account holders as adults is a valid reason for requiring credit card information.

DO32423 (Cal. 4th Dist. Ct. App., Div. 1, Mar. 31, 2000)
CA
The court found a California statute outlawing the knowing Internet transmission of material deemed harmful to minors in an attempt to seduce them is not an undue burden on interstate commerce and does not violate constitutional rights to free speech. The court noted that any existing burden in such cases is not on any protected right to engage in commerce.

100 F. Supp. 2d 404 (N.D. Miss. 2000)
Federal
Although allegedly defamatory remarks on the defendant's web site subjected it to Mississippi's long-arm statute, the Northern District of Mississippi ruled that without any other contacts, the assertion of personal jurisdiction would