Third Quarter 2011
In This Issue:
I. BEHAVIORAL TRACKING
II. ONLINE AND CONSUMER PRIVACY
III. MOBILE PRIVACY
A. NASCAR Faces Class Actions for Unsolicited Text Messages B. FTC Brings First COPPA Case Against Mobile Apps
IV. LIABILITY SHIELDS
A. Offering Incentives to Upload Infringing Content May Create Liability B. No Direct Infringement Where Defendant Did Not Take Volitional Steps
V. DATA BREACH AND DATA SECURITY
VI. FINANCIAL PRIVACY
VII. WORKPLACE PRIVACY
A. NLRB Offers Guidance on Social Media Cases B. Connecticut Statute Bars Employers’ Use of Credit Reports C. North and South Carolina, Georgia Adopt Mandatory E-Verify for Certain Employers
VIII. HEALTH CARE PRIVACY
A. Challenge to Maine Data Mining Law Sent Back to Lower Court B. Employees Access Celebrity and Other Medical Records in Violation of HIPAA
I. BEHAVIORAL TRACKING
Brian Heidelberger will present on “It Isn’t Going Away: What Corporate Counsel Need to Know about Social Media” at Northwestern Law School’s 50th Corporate Counsel Institute on October 5-6, 2011 in Chicago. For more information click here. |
A. Another Class Action Complaint Filed for Use of Cookies
A class action complaint was recently filed against a major internet service provider alleging violations of the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, as well as violations of the Privacy Act of Massachusetts. When a consumer downloads a web page that contains video content designed to be displayed using Adobe’s Flash software, the Adobe Flash Player software installed on the consumer’s computer can be used to display that video content on a Web page. When a website incorporates content displayed using Flash technology, the site can store file called “local shared objects” (“LSOs”) on the computer of a consumer using Flash Player. According to the complaint, the ISP in question stores LSOs for a different purpose; they used LSOs as substitutes and backups for browser cookies to circumvent the browser controls that the plaintiff and class members had set to block or delete browser cookies, so the company could track and profile plaintiff and class members. According to the complaint, the company’s use of these LSOs, or “flash cookies,” were used to circumvent browser controls to track the plaintiff and class members, even though they had disabled cookies on their computer.
TIP: Advertisers may wish to disclose the use of LSOs or flash cookies in their privacy policies.
B. Flash Cookies Held Not to Violate CFAA
Plaintiff sued Interclick and several advertisers under the Computer Fraud and Abuse Act (“CFAA”) alleging that Interclick used “flash cookies” or “local shared objects” to back up browser cookies. When a computer user deletes the browser cookies, the flash cookie “respawns” the browser cookie without notice or consent of the user. The flash cookie may be larger than the browser cookie. The plaintiff found flash cookies placed on her computer. All defendants moved to dismiss the complaint on the grounds that the plaintiff failed to meet cognizable injury or the $5,000 threshold to state a claim under the CFAA. The court concluded that the plaintiff failed to quantify any damage that Inderclick caused to the plaintiff’s computer’s systems or data that could require an economic remedy. Additionally, the court concluded that Interclick’s collection of the plaintiff’s personal demographic information does not constitute sufficient damages, since a plaintiff’s inability to delete or control cookies may constitute a de minimis injury, but such injury was insufficient to meet the $5,000 threshold. The court did, however, permit the plaintiff to continue with a state law deceptive trade practices claim and a trespass to chattels claim.
TIP: Advertisers who collect personal demographic information from consumers via flash cookies may not constitute a violation of the Computer Fraud and Abuse Act. Advertisers should still take caution when using such technologies, as this is only one opinion among several cases regarding the use of flash cookies. To help avoid liability, advertisers should provide users with notice and an opportunity to opt out from receiving such LSOs.
C. ISP Privacy Policy Defeats Privacy and ECPA Claims
On May 16, 2011, the U.S. District Court for the District of Montana dismissed an ISP subscriber’s claims against his ISP for collecting and sharing his internet usage information with a third party. The ISP diverted subscriber internet traffic to a third party, NebuAd, which in turn used the information to send targeted advertisements to the ISP’s subscribers. The subscriber sued the ISP for invasion of Privacy and violations of the Electronic Communications privacy Act (“ECPA”) and Computer Fraud and Abuse Act (“CFAA”). The court dismissed the case, finding that the subscriber consented to the collection and use of his personal information because: (1) the ISP’s privacy policy explained to subscribers that their data would be collected and shared with third-party vendors, including for advertising purposes; and (2) the subscriber had received an email notification that the ISP had partnered with a third party to deliver advertisements to its subscribers while they surfed the Internet, which included the option to opt out of the program.
TIP: Companies should now only ensure that their Web site privacy policies accurately reflect their data collection and use practices, but also consider what other steps might be needed to clearly explain those practices to Web site users.
D. Defunct Internet Marketer to Pay $2.4 Million in Class Action Settlement
NebuAd, Inc., an online advertising company that recently went out of business, has agreed to settle class action claims stemming from alleged violations of federal and state privacy laws. As we previously reported in June, plaintiffs filed suit against NebuAd and several defendant ISPs because of their collective practice of tracking consumers’ online activities in order to deliver targeted advertisements. The complaint stated that the ISPs gathered the information and provided it to NebuAd, which in turn served targeted ads. The case against two of the four ISPs was dismissed for lack of personal jurisdiction. As we reported in June, NebuAd lost its motion to dismiss the state laws claims. We continued to track the case, as the court did not reach a decision on plaintiffs’ allegations that NebuAd’s activities violated the Electronic Communications Privacy Act (“ECPA“). In addition, the claims against the ISPs continued when the plaintiffs re-filed against the ISPs in their local jurisdictions. Before the court was able to reach a decision on the merits of the federal ECPA claim, NebuAd agreed to settle the case. As part of the settlement, NebuAd is to pay over $2.4 million, with almost $800,000 going to the plaintiffs’ attorneys, and approximately $1.7 million going to a charity of plaintiffs’ choice. NebuAd officials also agreed to testify against the ISPs, who plaintiffs allege participated in improper activities by not giving consumers adequate notice, not respecting consumers’ choice to opt out of receiving behaviorally tracked ads, and to not be tracked for advertising purposes. To date, at least two of the actions brought against defendant ISPs have been dismissed. One action was dismissed after the court determined plaintiffs consented to the ISP’s activity, while the other was dismissed after the court determined the ISP did not violate the Wiretap Act.
TIP: Companies should exercise care when serving behaviorally targeted ads and working with vendors who offer these services. This includes vendors who will serve ads on third-party websites as well as vendors who offer to take existing information companies might have about their consumers in order to serve behaviorally-targeted ads. When behaviorally targeted ads are served, companies can limit their liability in a potential lawsuit by giving consumers notice and the ability to opt out. If a consumer opts out, care should be taken to both avoid collecting information in order to serve behaviorally-targeted ads, as well as avoiding serving any behaviorally-targeted ads. Self regulatory programs like those described at aboutads.info can assist in providing both notice and choice.
E. comScore, Inc. Sued for Use of Surveillance Software
A recent class action against comScore, Inc. alleges that the company acquired consumer personal information from its software and sold it to third parties without notifying or obtaining consent from consumers, which is in violation of the Stored Communications Act, the Electronic Communications Privacy Act, and is generally a deceptive trade practice under state law. The complaint alleges that comScore’s software, which is offered at no cost to consumers and offers consumers, games, screensavers, and other functional applications, also contains a surveillance program that scans the consumer’s computer, monitoring data such as the consumer’s usernames and passwords, internet queries, internet traffic, advertisements consumers click on, goods purchased by the consumers, and credit card and financial information. Furthermore, the complaint alleges that the consumer cannot disable or uninstall comScore’s applications.
TIP: Take care to fully disclose all software functionality to consumers, especially if it includes tracking features.
II. ONLINE AND CONSUMER PRIVACY
Liisa Thomas will present on “Creating Ethically Responsible Social Media & Advertising for Children” at CARU’s Annual Conference on October 5, 2011 at the Ritz Carlton Battery Park in New York City. For more information click here (to receive $100 of the cost of registration, mention that you are a Winston & Strawn client when registering). |
A. FTC Issues Proposed Revisions to COPPA Rule
The FTC issued proposed revisions to the Children’s Online Privacy Protection Rule (the “Rule”) and is seeking comment. The Commission proposes modifications to the Rule in the following five areas: Definitions, Notice, Parental Consent, Confidentiality and Security of Children’s Personal Information, and Safe Harbor Programs. In addition to modifying these provisions, the Commission proposes adding a new Rule section addressing data retention and deletion.
The proposed rules seek to expand the definition of personal information to include geolocation information and tracking cookies used for behavioral advertising, and to modify the definition of “collection” to allow children to participate in interactive communities without parental consent, provided that the sites take reasonable measures to delete the child’s personal information to prevent public disclosure.
The proposed rules also require that websites give parents direct notice before collecting a child’s personal information, as opposed to merely giving notice in a privacy policy. The FTC also proposes adding several new ways to obtain parental consent, and eliminating the “email plus” method of obtaining parental consent (a lower standard that currently applies when the child’s personal information is not being shared, or the child is not given the ability to share personal information). The FTC also proposes strengthening the Rule’s current confidentiality and security requirements. In addition, the FTC is making a proposed change to the safe harbor process. Companies that participate in approved programs are shielded from liability under the COPPA Rule. This shield will still exist, however, the FTC’s proposal is that approved safe harbor providers should be required to audit their members at least annually and report periodically to the FTC the results of those audits in order for their safe-harbor to continue to be effective.TIP: Comments are due to the FTC on or before November 28, 2011. Please contact us if you may be interested in submitting comments.
B. Apple Sued for Use of Image Exceeding Scope of License
A photographer filed a lawsuit against Apple, Inc. for allegedly using a copyrighted photo in an advertisement for Apple’s iPhone without permission. The photographer alleges that she licensed a photo of the band “She and Him” to Merge Media for limited use in magazines or on posters to promote the band’s appearances. Furthermore, the license to Merge Media explicitly excludes the right to use the image to promote other entities or products, such as with an album release. The photographer alleges that Apple used her copyrighted image in a television commercial promoting the iPhone without obtaining permission, exceeding the scope of the license granted to Merge Media. The complaint indicates that Merge Media used the image in connection with the album release, and Apple then used the image in a commercial showing the album’s availability on the iPhone.
TIP: When licensing copyrighted material from an entity, companies should ensure that the entity from which it is obtaining a license has the right to grant them the rights contemplated by the license, especially where the entity providing the license is not the original copyright holder.
C. Company Settles With FTC Over False Claims of Safe Harbor Status
An online retailer recently agreed to be enjoined from making misrepresentations that it is in voluntary compliance with the U.S.-EU Safe Harbor Framework. The European Union Data Directive requires EU member countries to implement legislation that prohibits the transfer of personal data outside the EU except to countries that the EU has found to provide laws that are substantially equivalent to the EU’s privacy laws. The Safe Harbor was developed by the U.S. Department of Commerce and the EU because the EU believes United States data protection laws do not meet the EU standards. Personal data can be transferred outside the EU to U.S. companies that self-certify to the U.S. Department of Commerce that they comply with the Safe Harbor principles. In this case, the defendants represented that they self-certified to the U.S. Department of Commerce that they comply with the Safe Harbor when, in fact, the defendants never self-certified. The FTC’s consent judgment indicates that this representation is false and misleading and constitutes a deceptive act or practice in violation of Section 5 of the FTC Act.
TIP: A company that self-certifies to the Safe Harbor principles but fails to implement those principles may be subject to an FTC enforcement action under Section 5 of the FTC Act.
D. $18.9 Million Verdict Affirmed for Copying Business Information
The Third Circuit Court of Appeals recently upheld a 2006 verdict against USI MidAtlantic, Inc. for $18.9 million plus $4.6 million in prejudgment interest stemming from a copyright infringement suit brought by competitor The Graham Company. The suit alleged Thomas P. Haughey, a former Graham employee who left Graham in 1991 to work for USI MidAtlantic, took with him two binders containing hundreds of pages of information describing different insurance products created by Graham employees which were subject to the firm’s copyrights. The suit further alleged that USI MidAtlantic copied language verbatim from the binders into over 800 client proposals to sell their insurance products. A jury found USI MidAtlantic’s “indirect” infringement went on for over ten years. Pursuant to the Copyright Act, Graham recovered profits attributable to USI MidAtlantic’s infringement, plus prejudgment interest.
TIP: Copyright infringement can extend beyond direct, “reproduction and sale” infringement to include indirect infringement whereby a company uses a copyrighted work of another to help sell its products. Accordingly, companies should ensure they use original materials when preparing proposals and other information to support their sales.
E. Dillinger References in Video Game Do Not Violate Indiana Right of Publicity
A District Court in Indiana recently granted a summary judgment motion in a case against Electronic Arts, a popular video game manufacturer. The case was brought by Dillinger LLC, the owners of two trademarks for “John Dillinger.” In the complaint, Dillinger LLC claimed to own the publicity rights to late mobster John Dillinger under Indiana’s right of publicity statute enacted in 1994. The company alleged EA violated Dillinger’s publicity rights under the statute when it included references to John Dillinger in its popular video game series based upon The Godfather. In granting EA’s motion for summary judgment, the court held Indiana’s right of publicity statute does not apply to personalities who died prior to its enactment in 1994. Additionally, the court went on to conclude that video games fell under an exemption in the statute for “literary works.” It determined a broad definition of “literary works” was necessary to avoid First Amendment considerations because “video games have just as much protection under the First Amendment as does ’highbrow literature.’”
TIP: While the Indiana right of publicity statute does not apply to persons who died prior to 1994, this is not the case in all states, so use of a deceased celebrity without permission from the celebrity’s estate must be reviewed on a case-by-case basis. Moreover, commercial ads are not likely to enjoy First Amendment rights as broad as those granted video games in this case.
F. Court Dismisses Claim Against Facebook Over Its Friend Finder Service
The U.S. District Court for the Northern District of California recently dismissed a misappropriation case, one of many pending against Facebook, stemming from its Friend Finder service. Plaintiffs brought a class action lawsuit alleging state law misappropriation, as well as Lanham Act and unfair competition claims. The Friend Finder service allows user to search their email contacts for Facebook users, while simultaneously publishing to all their Facebook friends the names and pictures of account holders who had used the service. While the court did not agree with Facebook that its broad terms of service unequivocally gave Facebook the right to use Facebook users’ names and photos in such a way, it dismissed the case after finding that plaintiffs failed to allege that such use caused them injury. Although the plaintiffs alleged “injury-in-fact,” they failed to allege any economic or emotional harm. The court concluded this was fatal to plaintiffs’ misappropriation and unfair competition claims. Finally, in dismissing the Lanham Act claim, the court concluded plaintiff, a non-celebrity and not otherwise well-known, had no economic interest in her name.
TIP: While this case was dismissed because there were no damages, it serves as a reminder to companies to fully disclose how personal information will be used.
III. MOBILE PRIVACY
A. NASCAR Faces Class Actions for Unsolicited Text Messages
Two separate class actions filed against NASCAR and an internet gaming company individually, allege that the two violated the Telephone Consumer Protection Act (“TCPA”) by sending text messages to consumers’ cell phones using an automated telephone dialing system without the consumers’ prior express consent. Furthermore, the complaints allege that when the consumer replied “end” or “stop,” the consumer was sent a further unsolicited text message confirming that the consumer had been removed from the SMS program, which plaintiffs allege also violated the TCPA. Under the TCPA, advertisers are required to obtain prior express consent from a consumer before sending text messages using an automated dialing system or an artificial or prerecorded voice to the consumer’s cell phone. These cases follow a recently settled lawsuit brought against Twitter (by the same attorney) which suit made the same allegations.
TIP: When sending text messages to consumers, confirm that you have obtained prior express consent. If confirming an opt cut, consider using other mechanisms like voice or email.
B. FTC Brings First COPPA Case Against Mobile Apps
In the FTC’s first case involving mobile applications, the Commission charged a developer of apps as well as the company’s president and owner with violations of the Children’s Online Privacy Protection Act (“COPPA”). Specifically, W3 Innovations (d/b/a Broken Thumbs Apps) develops and distributes mobile apps that allow users to play games and share information online. Several of W3’s apps were specifically directed to children, and were listed in the Games-Kids section of Apple’s App Store. W3’s games include “Cootie Catcher” and “Truth or Dare,” as well as a group of apps that invited kids to email questions and comments to “Emily” and submit postings to the Emily Blog. The FTC alleged that the company collected and maintained thousands of email addresses through the Emily apps, as well as allowed children to publicly post information, including personal information, on message boards. According to the FTC complaint, the company did not provide notice of their information-collection practices and did not obtain verifiable parental consent prior to collecting or disclosing personal information from children. The FTC complaint indicated that these apps were “online services directed to children,” and thus subject to the COPPA Rule. The parties settled with the FTC obtaining, inter alia, a $50,000 civil penalty from W3 and W3 agreeing to delete all information collected from children through the apps.
TIP: This case demonstrates that the FTC views apps as “online services” potentially subject to COPPA. Companies should thus ensure that, where appropriate, their apps comply with COPPA. In particular, companies should take care with the following types of apps: apps that are directed to children, apps that are appealing to children, or apps through which companies know that they collect children’s information.
IV. LIABILITY SHIELDS
A. Offering Incentives to Upload Infringing Content May Create Liability
Adult entertainment company Perfect 10, Inc. sued an online file storage company for copyright and trademark infringement after users uploaded certain Perfect 10 content to the defendant’s service without authorization. The defendant moved to dismiss the complaint, arguing that it cannot be held liable for direct infringement because it is merely a passive conduit, and cannot be liable for contributory infringement because Perfect 10 failed to allege that the defendant had specific knowledge of the infringement. In denying the motion to dismiss, the District Court for the Southern District of California found that the defendant was more than a passive conduit or “file storage” company because it created distinct websites “in an effort to streamline” users’ access to different types of media, offered Rewards Programs that pays users to upload popular media, disseminated URLs for files throughout the internet, and was “plausibly aware of the online, rampant infringement taking place on its websites.” The court concluded that, in light of these facts, Perfect 10 adequately alleged that the defendant engaged in volitional conduct sufficient to hold it liable for direct infringement. In addition, the court found that Perfect 10 pleaded specific knowledge of contributory infringement, in part, because even if the defendant lacked knowledge of the infringing activity, Perfect 10’s “allegations suggest such a lack of knowledge is willful.” The court did dismiss Perfect 10’s vicarious copyright infringement claim without prejudice because Perfect 10 did not allege that the defendant has the right and ability to supervise the infringing conduct as required to state a claim for vicarious copyright infringement.
TIP: It is high risk to offer incentives to users to upload copyrighted content to online storage sites.
B. No Direct Infringement Where Defendant Did Not Take Volitional Steps
Several content owners filed suit for copyright infringement against Hotfile Corp, a corporation that operates a website where users can upload electronic files to the site, after which Hotfile provides the user with a unique link allowing anyone with the link to download the file. Hotfile pays users who upload the most popular files to it servers, and encourages users to promote their links. Files that infringe copyright constituted the majority of the downloaded files. Hotfile filed a motion to dismiss. The district court for the Southern District of Florida dismissed the claim of direct copyright infringement because, although Hotfile allegedly encourages the massive infringement, the complaint did not allege that the Hotfile took “volitional steps” to infringe the plaintiffs’ rights. However, the court concluded that the plaintiffs’ business model could give rise to contributory and/or vicarious liability for copyright infringement.
TIP: Regardless of whether direct copyright infringement is found, secondary copyright infringement may be found for inducing infringing conduct of another or profiting from direct infringement while declining to exercise a right to stop or limit it.
V. DATA BREACH AND DATA SECURITY
A. California Breach Notice Law Will Require AG Notice Starting January 1, 2012
The California governor recently signed into law an amendment to the existing California data breach notification law. As amended, companies who are required to provide notice to individuals under California’s data breach notification law will also have to notify the California attorney general if more than 500 California residents are impacted. Under the revisions, companies that conduct substitute notice (in the event that there are more than 500,000 impacted individuals or the cost to notice would be more than $250,000) must also notify the California Office of Privacy Protection. This is in addition to making an announcement in major state-wide media outlets and posting a notice on the company website.
TIP: Companies should ensure that they have a breach notification plan in place that outlines who they need to notify and when. California joins a handful of states that requires notification in the event of a breach not only to impacted individuals and credit reporting agencies, but to state officials as well.
B. Rhode Island Enacts Identity Theft Prevention Act
Recently Rhode Island enacted new legislation which aims to protect consumers. Specifically, the law prohibits recording credit card or social security numbers on checks, and generally prohibits anyone from requiring a consumer of goods or services to disclose all or part of their social security number incident to the sale of such goods or services, provided, however, that consumers may be required to disclose all or part of their social security number if required by federal law, or if such disclosure is required by insurance companies, financial service institutions, health care, and credit card companies. Additionally, the law prohibits anyone from requiring consumers to furnish all or part of their social security number as a condition before applying for a consumer discount card.
TIP: The new law, effective immediately, now prohibits companies from requiring the last four digits of a consumer’s social security number as previously permitted under the old law.
C. The EU Working Party Finds New Zealand’s Data Protection Laws “Adequate”
The European Union Data Directive requires EU-member countries to implement legislation that prohibits the transfer of personal data outside the EU except to countries that the EU has found to provide laws that are substantially equivalent to the EU’s privacy laws. The EU “Working Party,” an independent European advisory body on data protection and privacy, recently issued an opinion concluding that New Zealand’s data protection laws are adequate, such that personal data may be transferred from the EU to New Zealand.
TIP: When transferring personal data from an EU company to a non-EU country, remember that some countries are deemed “adequate” and thus transfers are acceptable.
D. LimeWire Settles With Maryland Regarding Breach Incident
The company that provides the LimeWire file sharing services, Lime Group, LLC, recently settled with the Maryland Attorney General, agreeing to notify Maryland residents about the privacy risks associated from its file sharing service, and agreeing to take best efforts to prevent privacy risks. The Maryland Attorney General began an investigation into LimeWire, alleging that the file sharing service had allowed the inadvertent sharing of private information on consumer’s hard drives, potentially compromising consumer social security numbers, tax records, health records, private family documents, or media files. The AG’s office alleged that when consumers updated to new version of the software the software may have retained the consumer’s file sharing index, making the consumer’s entire hard drive available for sharing by default. Under the settlement agreement, LimeWire will notify LimeWire uses that if they downloaded LimeWire software in the past, files on their personal computer or sensitive information may have been shared and the users should remove the software from their computers. Furthermore, LimeWire shall prominently warn consumers, via the landing page of their website and/or product download page, as well as in any images or statements presented during installation, that file-sharing software, products, and service often contain a risk of inadvertent file sharing, which may expose private or sensitive information contained on the users’ computer.
TIP: Companies should ensure that they review and understand system functionalities, and look for potential security lapses that could give rise to a potential breach incident.
E. WellPoint Settles with Indiana Over Delayed Breach Notification
WellPoint, a health insurance company, and the Indiana attorney general’s office recently settled a lawsuit over a breach in an online application tracker website operated by WellPoint and its affiliates. As a result of the breach, personal information (including social security numbers, financial information, and health records) were publicly accessible on WellPoint’s website from October 2009 to March 2010. WellPoint notified individuals of the breach, but took 100 days to do so. The Indiana AG alleged that this failed to meet the “without unreasonable delay” requirement for breach notice under the Indiana law. As part of the settlement, WellPoint agreed to pay $100,000.WellPoint, a health insurance company, and the Indiana attorney general’s office recently settled a lawsuit over a breach in an online application tracker website operated by WellPoint and its affiliates. As a result of the breach, personal information (including social security numbers, financial information, and health records) were publicly accessible on WellPoint’s website from October 2009 to March 2010. WellPoint notified individuals of the breach, but took 100 days to do so. The Indiana AG alleged that this failed to meet the “without unreasonable delay” requirement for breach notice under the Indiana law. As part of the settlement, WellPoint agreed to pay $100,000.
TIP: Companies should ensure that they are positioned to provide notice promptly in the event of a breach.
VI. FINANCIAL PRIVACY
A. California Court Rules Song-Beverly Does Not Apply Online
The California Song-Beverly Act prohibits retailers from collecting certain personally identifiable information during a credit card transaction. In a case brought against the online website, Craigslist, the plaintiff asserted that Craigslist should have complied with that law, and should not have collected addresses and phone numbers during a credit card transaction online. The court dismissed the case, finding that the Act does not apply to online businesses.
TIP: This is a welcome decision for any online retailers who were concerned that the restrictions of California’s Song-Beverly Act might apply to their activities.
B. Visa Drops PCI DSS Certification Requirement for Merchants with Card Chip Readers
Visa announced on August 9 that merchants that use credit card transaction terminals that read embedded chips for identity authentication for at least 75 percent of their transactions will no longer be required to undergo annual certification for compliance with the self-regulatory Payment Card Industry Data Security Standard (PCI DSS). To qualify, the terminals must be capable of both contact and contactless reading of payment cards and mobile device payment applications using the embedded chip technology. Merchants that qualify for the exemption from annual PCI DSS certification must still follow all other PCI DSS rules including not storing card tracking data, security codes, or personal identification numbers. The policy will take effect on October 1, 2012. However, Visa is requiring all merchants who process Visa transaction to use the chip technology in their card readers by April 1, 2013. Visa also announced that it will shift liability for fraudulent point of sale transactions to merchants on October 1, 2015 except for fuel merchants, who will assume all liability October 1, 2017.
TIP: Merchants who process Visa transactions and do not employ chip reader technology should consider adopting the technology before it is required, so that they can avoid the annual PCI DSS certification process.
C. Transfer of Credit Card Information May Violate Wiretap Act
A class action lawsuit was filed against the owners of three merchant websites where allegedly the merchants, without authorization, transmitted the plaintiffs’ credit card information to a third party following certain purchases. The plaintiffs alleged that the third party recipient of this information then engaged in negative option marketing. The plaintiffs brought a number of claims, including violation of the Wiretap Act. The Wiretap Act provides that it is illegal for a person to intentionally intercept a wire, oral, or electronic communication. The defendants argued that there was no “interception” because consent is a defense to a claim under the Wiretap Act and the plaintiffs voluntarily shared their credit card information. However, the District Court for the Northern District of Illinois denied the motion to dismiss the Wiretap Act claim, in part because even if the plaintiffs had consented, consent does not bar liability if the communication is intercepted for the purpose of committing a criminal or tortious act. Notably, the court also denied the defendants’ motion to compel arbitration because a browsewrap agreement containing an arbitration provision was not displayed prominently enough to put a customer on notice.
TIP: Note that the recently enacted Restore Online Shoppers’ Confidence Act requires the clear and conspicuous disclosure of all material terms of the transaction before a third-party, post-transaction seller can charge a consumer for goods or services sold online.
D. FINRA Gives Guidance to Financial Firms on Use of Social Media
The Financial Industry Regulatory Authority (FINRA) recently issued a regulatory notice providing additional guidance regarding use of social media by financial firms and their employees. FINRA’s initial guidance in January of 2010 prompted a number of questions from financial firms, and this regulatory notice responds to those questions and provides clarification of the initial guidance. The clarifications include the following guidance:
• Social Media Policy: Firms must develop and adopt policies and procedures for use of social media by its employees which must include training and education on the differences between non-business communications and business communications, which are subject to FINRA and SEC rules, and must be retained, retrievable, and supervised. Furthermore, firms must monitor for compliance and follow up on “red flags” that employees are in violation of the policy.
• Static Content on Social Media: Static posts on social media relating to a firm’s business are deemed to be “advertisements” and as such must be approved by a registered principal of the firm before it is posted, and are subject to FINRA recordkeeping requirements. Real-time interactive posts do not have to be approved in advance and are not subject to FINRA recordkeeping requirements. However, interactive content may become static content if copied or forwarded and posted in a static forum such as a blog or static area of a web page.
• Third Party Posts: The notice clarified that FINRA generally does not hold firms accountable for the social media posts by third parties on third party websites unless the firm has adopted or become entangled with the content on the site, for example, if the firm has co-branded any part of the site or explicitly or implicitly approved or endorsed the post or content.TIP: Financial firms subject to FINRA governance should ensure that they have a policy in place to address use of social media by the firm and its employees for business communications and advertising, as well as procedures to monitor and enforce compliance with the policy.
E. Credit Reporting Agency to Pay $1.8 Million for Alleged FCRA Violations
Teletrack Inc., a consumer credit reporting agency being investigated by the FTC, agreed to a consent judgment in which it will pay $1.8 million due to alleged violations of the Fair Credit Reporting Act (FCRA). In the complaint, the FTC alleged that Teletrack sold sensitive consumer information without a permissible purpose. The FTC argued that Teletrack is subject to the FCRA because it “regularly sells…information on consumers that it assembles for the purpose of furnishing consumer reports to third parties.” Teletrack sells consumer reports to businesses that serve primarily consumers in financial distress, such as payday lenders. Through its credit reporting business, Teletrack developed a database of sensitive consumer information that it allegedly sold to marketers who used the information to target potential customers. The FTC alleged Teletrack’s activities violated the FCRA because marketing is not a permissible purpose for furnishing consumer reports. In addition to the $1.8 million penalty, Teletrack has also agreed to only furnish consumer reports to entities who it believes have a permissible purpose under the FCRA for obtaining the reports.
TIP: Companies compiling or selling sensitive consumer data to marketers should take case to comply with the FCRA and understand their obligations should they fall under the restrictions of the Act.
VII. WORKPLACE PRIVACY
A. NLRB Offers Guidance on Social Media Cases
In the past year, the National Labor Relations Board’s (NLRB) consideration of social media cases has expanded considerably. Until recently, employers had little guidance on what constituted protected union activity in the context of social media. In July, however, the NLRB clarified its position on acceptable workplace social media policies and practices when the Division of Advice concluded in three memoranda that in certain circumstances, employees posting comments about their employment on social media sites may not be engaged in concerted, protected activity. In each of the three cases, the Division of Advice assessed whether the activity was “engaged in with or on the authority of other employees, and not solely on behalf of the employee himself.” The first and second Advice Memoranda concluded that employees who communicated about work through social media with only friends and family were not protected from dismissal by the National Labor Relations Act (NLRA) because the employees were not seeking to “initiate or induce or to prepare for group action.” The third memorandum concluded that an employee was not engaged in protected, concerted activity when he posted profane comments on his Facebook page that were critical of store management, because the employee’s comments expressed “an individual gripe” rather than a logical outgrowth of prior group activity or an effort to induce co-workers to engage in group action. On August 18, 2011, the Acting General Counsel of the Board issued a report summarizing recent case developments arising in the context of social media. The cases cover emerging issues such as the protected and/or concerted nature of employees’ Facebook and YouTube postings, the coercive impact of a union’s Facebook and YouTube postings, and the lawfulness of employers’ social media policies and rules.
TIP: Because the NLRA applies to both union and non-union employers, these memoranda are useful guideposts for all employers who may be faced with the decision to discipline or terminate an employee based on his or her offensive work-related statements on social media outlets. Employers should review their social media policies to ensure that they do not run afoul of the NLRA, and exercise caution in making employment decisions based on employees’ use of social media.
B. Connecticut Statute Bars Employers’ Use of Credit Reports
Connecticut Public Act 11-223, signed by Connecticut Governor Daniel Malloy on July 13, 2011, prohibits certain employers from using the credit history of a prospective or current employee in making hiring or employment decisions. Under the new law, employers may not “require an employee or prospective employee to consent to a request for a credit report that contains information about the employee’s or prospective employee’s credit score, credit account balances, payment history, savings or checking account balances, or savings or checking account numbers as a condition of employment.” There are certain exceptions to the new legislation. The prohibition does not apply if the employer is a financial institution, if such a report is required by law, or if the employer reasonably believes that the employee committed a violation of law related to the employee’s job. Additionally, employers may require consent when a credit report is substantially related to the employee’s current or potential job or the employer has a bona fide purpose for requesting or using information in the credit report that is substantially job-related and is disclosed in writing to the employee or applicant in writing. Connecticut is the sixth state to enact a law restricting employers’ use of credit history, following Hawaii, Illinois, Oregon, Washington, and Maryland. Similar legislation is being considered at the federal level, and several states have similar bills pending, including California, New York, Pennsylvania, Georgia, and Florida.
TIP: Employers in Connecticut should prepare to comply with this new legislation, which goes into effect on October 1, 2011.
C. North and South Carolina, Georgia Adopt Mandatory E-Verify for Certain Employers
In the aftermath of Chamber of Commerce v. Whiting, several states, including Georgia, Louisiana, North Carolina, and South Carolina, have enacted legislation that will require employers to register and participate in the federal government’s employment eligibility electronic verification system, known as “E-Verify.” In Whiting, the United States Supreme Court upheld provisions in the Legal Arizona Workers Act that require electronic verification of employment eligibility through an E-Verify system. On May 13, 2011 Georgia enacted the Illegal Immigration Reform and Enforcement Act (IIREA), which was modeled after the Arizona law. The United States District Court for the Northern District of Georgia recently held that two of the criminal provisions of IIREA were unconstitutional. The employer-related provisions of the statute, however, were allowed to move forward. On June 27, 2011, South Carolina Governor Nikki Haley signed S.B. 20 into law, amending several sections of the South Carolina Illegal Immigration Reform Act of 2008. South Carolina employers have until January 1, 2012 to comply with the new law. Similarly, North Carolina Governor Bev Perdue signed a bill (H.B. 36) on June 23, 2011 requiring certain employers to verify the employment eligibility of all new hires through E-Verify. The North Carolina law’s 24-month phase-in period will begin on October 1, 2011. Several E-Verify bills, including S. 1258, H.R. 2164, H.R. 2000, and H.R. 800, that would mandate the use of E-verify for all new hires by U.S. employers have also been introduced in the House and Senate. These bills are aimed at expanding the use of E-Verify.
TIP: Employers in South Carolina and North Carolina must enact E-Verify procedures for hiring in order to avoid sanctions under these new immigration laws. Employers in other states should familiarize themselves with ongoing efforts at the state and federal levels to mandate employers’ use of E-Verify.
VIII. HEALTH CARE PRIVACY
A. Challenge to Maine Data Mining Law Sent Back to Lower Court
The Supreme Court recently remanded a case challenging a Maine data mining law on First Amendment grounds (IMS Health Inc. v. Schneider). The Supreme Court sent the case back to the Court of Appeals in light of the Supreme Court’s recent decision affirming a similar Vermont law unconstitutional (IMS Health Inc. v. Sorrell). Both laws prohibited pharmacies from selling prescriber-identifying information for marketing purposes. The Maine law, which is written with an opt-in provision, allows prescribers to affirmatively choose to prohibit pharmacies from selling or using their information for marketing purposes. The Vermont law deemed unconstitutional imposed similar restrictions, but was written as an opt-out whereby prescribers would have to affirmatively opt-out to allow pharmacies to share or sell prescribing information. In light of the Supreme Court’s decision in Sorrell, the Court of Appeals will be asked to determine whether the two statutes are similar enough that Sorrell would dictate that the Maine law be found unconstitutional.
TIP: While it appears states may be taking steps to curtail pharmaceutical marketing, it appears the Supreme Court has taken the position that states may be taking restrictions too far and there is, in fact, still room for pharmaceutical marketing. States may take steps in the future to narrow their restrictions to avoid the broad prohibitions the Supreme Court has determined are unconstitutional. We will continue to monitor the situation to see if a trend emerges.
B. Employees Access Celebrity and Other Medical Records in Violation of HIPAA
Between 2005 and 2009, the HHS alleged that UCLA employees improperly accessed the medical records of multiple patients, that UCLA did not have adequate training in place, and did not have sufficient security measures in place. The HHS investigation began after complaints from two celebrity patients. As part of its settlement, UCLA agreed to pay $865,500.
TIP: Make sure your organization has clear measures in place to ensure compliance with HIPAA.
If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:
| CHICAGO | NEW YORK | ||
Liisa M. Thomas |
(312) 558-8121 |
Virginia R. Richard (Intellectual Property) |
(212) 294-4639 |
| Julie Bauer (Litigation) |
(312) 558-5973 | ||
| Monique Bhargava (Advertising) |
(312) 558-3732 | PARIS | |
| Christine A. Edwards (Financial Services) |
(312) 558-5571 |
Sébastian Ducamp (Employment, Litigation) |
33 0(1) 53 64 82 08 |
Brian D. Fergemann |
(312) 558-8024 |
Blaise Deltombe (Employment, Litigation) |
33 0(1) 53 64 82 31 |
| Delilah B. Flaum (Health Care, Litigation) |
(312) 558-8922 | Nathalie Hadjadj-Cazier (Intellectual Property) |
33 (0)1 53 64 81 50 |
| Jason W. Gordon (Advertising) |
(312) 558-6145 |
Gwendaline Sarrat (Intellectual Property) |
33 (0) 1 53 64 82 47 |
Brian L. Heidelberger |
(312) 558-5897 |
||
Mary Hutchings Reed |
(312) 558-5721 |
SAN FRANCISCO | |
| Michael Melbinger (Employee Benefits) |
(312) 558-7588 | David S. Bloch (Intellectual Property, Litigation) |
(415) 591-1452 |
Robert H. Newman |
(312) 558-8125 |
Andrew P. Bridges (Intellectual Property) |
(415) 591-1482 |
| Michael Philipp (Financial Services) |
(312) 558-5905 | Kimberly E. Eckhart (Intellectual Property) |
(415) 591-6805 |
| Tim Rivelli (Litigation) |
(312) 558-5817 | Jennifer A. Golinveaux (Intellectual Property, Litigation) |
(415) 591-1056 |
| Sara Skinner (Advertising) |
(312) 558-7406 | Becky L. Troutman (Intellectual Property) |
(415) 591-1401 |
Cardelle B. Spangler |
(312) 558-7541 |
||
Marc H. Trachtenberg |
(312) 558-7964 |
WASHINGTON, D.C. | |
|
|
Marion K. Goldberg (Health Care) |
(202) 282-5788 |
| LONDON | Anthony DiResta (Litigation) |
(202) 282-5782 | |
| Zoë Ashcroft (Corporate, Financial) |
44 (0)20 7105 0025 | ||
| LOS ANGELES | |||
| Steven D. Atlee (Litigation) |
(213) 615-1827 | ||
| Anna S. Masters (Labor & Employment) |
(213) 615-1711 |
Attorney Advertising Materials
These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.
Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).
© 2011. Winston & Strawn LLP.