The biggest privacy challenges affecting businesses today are regulatory scrutiny from government agencies, media coverage with unintended consequences, and privacy risks that are discovered during corporate transactions.

Rapidly growing eCommerce and technology companies typically focus on creating viable products and services, adapting business models and responding to challenges, and using data in new ways to glean valuable insights and advantages. They often achieve success by disrupting existing industry norms and flouting convention in an attempt to do things better, faster and more cost-effectively. In the tech world, this strategy is often a blueprint for success.  At the same time, this strategy also often raises privacy concerns from regulators and investors.  In fact, three of the biggest privacy challenges affecting businesses today are regulatory scrutiny from government agencies (and potentially, personal liability arising from such scrutiny), media coverage with unintended consequences, and privacy risks that are discovered during corporate transactions.

Regulatory Scrutiny Of Privacy Practices

Government regulators, led by the Federal Trade Commission (“FTC”), have taken an activist role in enforcing privacy protections.  The FTC often does so by utilizing its powers under the FTC Act, which enables the FTC to investigate and prosecute companies and individuals for “unfair or deceptive acts and practices.” Some of the activities which the FTC considers to fall under the “unfair or deceptive” umbrella are: a company’s failure to enforce privacy promises; violations of consumers’ privacy rights; and failing to maintain reasonably adequate security for sensitive consumer information.

Though most of the FTC’s investigations are settled privately and non-publicly, those that do become public (usually, as a result of a company refusing to cooperate voluntarily or disagreeing with the FTC on the proper resolution) are often instructive. For example, the FTC recently settled charges against Snapchat, the developer of a popular mobile messaging app.  The FTC accused Snapchat of deceiving consumers with promises about the disappearing nature of messages sent through the service, the amount of personal data Snapchat collected, and the security measures taken to protect that data from misuse and unauthorized disclosure.  Similarly, when Facebook acquired WhatsApp, another cross-platform mobile messaging app, the FTC explicitly warned both Facebook and WhatsApp that WhatsApp had made clear privacy promises to consumers, and that WhatsApp would be obligated to continue its current privacy practices ― even if such policies differ from those of Facebook ― or face FTC charges. The takeaway from the FTC’s recent investigations and enforcement actions are clear: (1) businesses should be very careful about the privacy representations that they make to consumers; (2) businesses should comply with the representations they make; and (3) businesses should take adequate measures to ensure the privacy and security of the personal information and other sensitive data that they obtain from consumers.

Sometimes officers and directors of businesses are named in a FTC action along with, or apart from, the company itself.  In such cases, the interests of the individuals and those of the companies often diverge as the various parties try to apportion blame internally.  In certain cases, companies and their officers are held jointly and severally liable for violations.  For example, the FTC sued Innovative Marketing Inc. and three of its owners/officers. A federal court found the business and the owners/officers to be jointly and severally liable for unfair and deceptive actions, and entered a verdict for $163 million against them all. The evolving world of regulatory enforcement actions reveals that traditional liability protections (i.e., acting through a corporate entity) do not necessarily shield owners, officers, and/or directors from personal liability when privacy violations are at issue. Officers and directors should keep in mind that knowledge of, or indifference to, an unfair or deceptive practice can put them squarely in the FTC’s crosshairs ― and that the “ostrich defense” of ignoring and avoiding such issues is unlikely to produce positive results.

Unintended Consequences of Publicity

Most businesses crave publicity as a means of building credibility and awareness for their products or services. However, businesses should keep in mind that being in the spotlight can also put the company on regulators’ radar screens, potentially resulting in additional scrutiny where none previously existed. One of our clients, for example, came out with an innovative service that allows consumers to utilize their personal information in unique ways, and received significant positive publicity as a result. Unfortunately, that publicity also caught the interest of a regulatory entity. It turns out that some of our client’s statements about their service were misunderstood by the government. Ultimately, we were able to clarify the service offered by our client for the government in an efficient and cost-effective manner, demonstrating that no wrongdoing had occurred, and the inquiry was resolved to our client’s (and the government’s) satisfaction.  Nonetheless, the process itself resulted in substantial aggravation for our client, who was forced to focus on an investigation rather than on its business activities. Ultimately, the misunderstanding could have been avoided if the client had checked with us first, before speaking with reporters, to ensure the client’s talking points were appropriate.

Another more public example occurred at Uber’s launch party in Chicago.   Uber, the car service company which allows users to hail a cab using a mobile app, allegedly demonstrated a “God View” function for its guests which allowed the partygoers (including several journalists) to see, among other information, the name and real-time location of some of its customers (including some well-known individuals) in New York City – information which those customers did not know was being projected onto a large screen at a private party. The resulting publicity backlash was overwhelming. Senator Al Franken wrote Uber a letter demanding an explanation of Uber’s data collection practices and policies and Uber was forced to retain a major law firm to independently audit its privacy practices, and implement changes to its policies, including limiting the availability and use of the “God View.”

Experience has shown us that contrary to the old mantra, all publicity is not necessarily good publicity when it comes to the world of privacy.  Before moving forward with publicity or marketing for your business, consider incorporating a legal review into the planning to avoid any potentially adverse impact of such publicity.

Privacy Concerns Arising During A Corporate Transaction

Perhaps most importantly to company owners, the failure to proactively address privacy issues in connection with corporate transactions can cause significant repercussions, potentially destroying an entire deal.  Most major corporate transactions involve some degree of due diligence.  That due diligence, if properly performed by knowledgeable attorneys and businesspeople, will uncover any existing privacy risks (i.e., violations of privacy-related laws, insufficient privacy security measures or compliance issues which become financially overwhelming).  If these issues were not already factored into the financial terms of the transaction or affirmatively addressed from the outset, the entire landscape of the transaction can change overnight once the issues are uncovered – with the worst case scenario being the collapse of the entire deal.  Therefore, it is critical that businesses contemplating a corporate transaction be prepared to address all relevant privacy issues upfront.  Such preparation should include an internal analysis of the business from a privacy-law perspective (i.e., determining which regulatory schemes apply, and whether the business is currently in compliance) and being prepared to provide quick responses to relevant inquiries, such historical policies and procedures related to privacy and data security, diagrams of network/data flow, lists of third-parties with whom data has been shared, representations and warranties made to data subjects, and descriptions of complaints, investigations, and litigation pertaining to privacy issues.

Privacy and data security issues can be particularly tricky depending on the nature of the data that is maintained by the company and the representations that the company has made with respect to such data.  Businesses are well-advised to prepare a due diligence checklist in preparation for any corporate transaction which should include an assessment of the business’ compliance with applicable information privacy and data security laws as well as any potential liabilities from deficiencies that are discovered.  Addressing these issues in a proactive manner will allow the business to be more prepared for the corporate transaction and mitigate any harm which otherwise might flow from any problems which arise.

Safeway To Settle Allegations Of Privacy BreachOn December 31, 2014, the second-largest U.S. grocery chain, Safeway, was ordered to pay a $9.87 million penalty as a part of a settlement with California prosecutors related to the improper dumping of hazardous waste, and the improper disposal of confidential pharmacy records containing protected health information in violation of California’s Confidentiality of Medical Information Act (“CIMA”).

This settlement comes after an investigation revealed that for over seven years hazardous materials, such as medicine and batteries, had been “routinely and systematically” sent to local landfills that were not equipped to receive such waste. Additionally, the investigation revealed that Safeway failed to protect confidential medical and health records of its pharmacy customers, by disposing of records containing patients’ names, phone numbers, and addresses without shredding them, putting these customers at risk of identify theft.

Under this settlement agreement, while Safeway admits to no wrongdoing, it will pay (1) a $6.72 million civil penalty, (2) $2 million for supplemental environmental projects, and (3) $1.15 million in attorneys’ fees and costs. In addition, pursuant to the agreement, Safeway must maintain and enhance its customer record disposal program to ensure that customer medical information is disposed of in a manner that preserves the customer’s privacy and complies with CIMA.

“Today’s settlement marks a victory for our state’s environment as well as the security and privacy of confidential patient information throughout California,” said Alameda County District Attorney Nancy O’Malley. Another Alameda County Assistant District Attorney, Kenneth Misfud, says the case against Safeway spotlights the importance of healthcare entities, such as pharmacy chains and hospitals, properly shredding, or otherwise “making indecipherable,” patient and other consumer personal information prior to disposal.

However, despite the settlement, customers whose personal information was improperly disposed of will have a difficult time suing for a “pure” loss of privacy due Safeway’s violation of CIMA. In Sutter Health v. Superior Court, a California Court of Appeals held that confidential information covered by CIMA must be “actually viewed” for the statutory penalty provisions of the law to apply. So, parties bringing claims under CIMA will now have to allege, and ultimately prove, that their confidential information (1) changed possession in an unauthorized manner, and that (2) it was actually viewed (or presumably, used) by an unauthorized party.

The takeaway from Safeway’s settlement is to ensure that  your customers are not at risk of data breaches and identity theft, and protect your company from facing the million dollar consequences that can result from doing so. If you have any questions about complying with privacy and health information laws, please feel free to contact one of our certified privacy attorneys at OlenderFeldman LLP.

Cellphone companies are now using “perma-cookies” to track mobile browsing despite consumer’s do not track” requests, which permits advertisers to identify users for targeted behavioral advertising and has concerning implications for users’ privacy.

OlenderFeldman <a rel="nofollow" target="_blank" title="Privacy Lawyer Aaron Messing Interviewed By Fox News" href="http://www team collaboration app.myfoxny.com/story/27170920/your-browsing-is-being-tracked” target=”_blank” rel=”nofollow”>was interviewed by Fox News regarding how cellphone companies are using various methods to track their users’ mobile browsing habits. While most people think their mobile browsing activity is anonymous, this activity can be tracked to their phone and, thus to them by both their phone companies and, increasingly, but the websites that they view. This can have concerning implications when the user of a phone is a minor, or when the subject of the browsing is personal health information or other sensitive information.

OF was also asked about the mandatory arbitration provisions and other waivers that are hidden in the fine print of many cellphone contracts. In our modern electronic society, many users simply hit “I accept” without reading the contracts that they are agreeing to,  not realizing that they may be giving away important rights.

 See the full interview here.

The Supreme Court of New Jersey held that individuals have a reasonable expectation of privacy in their cell phone location data under the NJ state constitution and that “cell-phone location information, which users must provide to receive service, can reveal a great deal of personal information about an individual.”

In a turn that is becoming less and less surprising given the trailblazing nature of the New Jersey Supreme Court, the Court recently ruled in State v. Thomas W. Earls that police must obtain search warrants before obtaining the personal tracking information for alleged perpetrators from cell phone providers.  While this ruling has obvious implications for law enforcement professionals, from a broader perspective, the decision impacts — and, most importantly, protects — the privacy of individuals (and related businesses) who conduct business and their personal lives on cell phones throughout the nation.  The decision underscores a continuing battle between government intrusion into personal privacy which is increasingly in tension with the advancement of the digital age vis a vis the use of smartphones to conduct day-to-day business.  While various states throughout the country have been toying with the idea of passing legislation which would require probable cause warrants to issue before access to cell phone data is granted, the New Jersey Supreme Court’s ruling puts New Jersey at the forefront of addressing this issue.

While the facts of the case are not specifically relevant and pale in impact when compared to the implications of the decision, for completeness, the case involved burglaries in Middletown, New Jersey.  In investigating the burglaries, law enforcement officials used the data received from T-Mobile to track the stolen merchandise including a cellular phone which ultimately led to arrests of Mr. Earls.  In protecting the rights of Mr. Earls and overturning the decision of the lower courts, the New Jersey Supreme Court matter-of-factly ruled that individuals can and should “reasonably expect that their personal information will remain private” when entering into a contract with a cell phone carrier.  In explicitly recognizing a Constitutionally-based right to privacy as to the location of his or her cell phone, this decision builds on last year’s ruling by the United States Supreme Court in United States v. Jones, 615 F.3d 544 (2012).  In that case the United States Supreme Court said that the State’s/Government’s attachment of a GPS device to a vehicle and the use of that device and data to monitor a vehicle’s movements constitutes a search under the Fourth Amendment and, as such, is protected under the laws related thereto.

Given the capabilities of cell phones, the New Jersey Supreme Court declared that, in essence, a cell phone was a GPS device.  In fact, the Court went as far as to say that using a cell phone for locational purposes can “be far more revealing than  acquiring toll billing, bank, or Internet subscriber records. It is akin to using a tracking device and can function as a substitute for 24/7 surveillance without police having to confront the limits of their resources”  Interestingly enough, the Court’s decision also raises the possible impact of use of the data on access to PHI (protected health information).  The suggestion is that that cell phone tracking could theoretically be used to determine when and who a patient is treating with given that the location of a medical facility is easily discernible.

This is only the tip of the iceberg.  While the Court does a reasonable job at spinning out possible scenarios where the privacy of the cell phone owner could be impacted due to intrusions on privacy without a warrant, the Court speaks in a targeted and hypothetical manner.  Though the Court attempts to temper things legally by placing an “emergency aid” exception to the use of a warrant and ultimately the fruits of the search, the possibility of mining this data should be recognized by individuals who continue to use cell phones for every aspect of their daily lives.  As cell phone (and data) use naturally increases, it will be crucial to provide tight restrictions on third-party use of cell phone information because not only will companies likely try to monetize the same, in using data in any unauthorized way, the rights and interests of privacy as a whole come into play.

OlenderFeldman LLP has significant experience dealing with privacy and business related issues which are implicated in the decision discussed above.  If you have any questions about the legal or practical implications of this case, please contact Christian Jensen, Esq. (cjensen@olenderfeldman.com) at (908) 964-2485.

OlenderFeldman was interviewed by U.S. News and World Report about when to give out your social security number and how to protect it, so that you can protect your privacy.

Most people get requests for their social security number on a regular basis, and it is often difficult to understand whether you are required to give that information or when it’s purely optional. In a recent U.S. News and World Report article, Aaron Messing provided some tips about determining when that information is required:

“It’s hard to tell whether a business is going to follow best practices,” says Aaron Messing, an information privacy attorney at OlenderFeldman LLP in New Jersey. “The best way to protect private information including Social Security numbers is to limit who has access to it.”

In addition to asking why your social security number is necessary and how it will be used, Aaron recommends offering an alternate identifier, such as a

driver license number, being skeptical of emails and incoming phone calls and not oversharing online:

Don’t over-share online. Until 2011, the Social Security Administration assigned Social Security numbers in a predictable way. “If you share your birthday, age and place of birth, for example, on Facebook, studies have shown that Social Security numbers can be predicted based on publicly available information,” Messing says. “The Social Security Administration started randomly assigning Social Security numbers in June 2011 for that reason.” He recommends never publicly sharing your year of birth and choosing a different year when asked for online forms. “Add or subtract some years, as long as it’s a number you’ll remember,” he says.

Read the whole article here. Aaron was previously quoted regarding privacy and protection of social security numbers for State Farm’s Good Neighbor magazine.

Support may be growing for allowing cybertheft victims to “hack back.” What are the privacy concerns of allowing hackbacks?

OlenderFeldman’s own Rick Colosimo wrote an interesting post regarding a WSJ article describing the idea of hacking victims “hacking back” on his personal blog. He writes:

The concept isn’t crazy (the article’s warning that hacking back at the Chinese Army might be trouble notwithstanding) — there is a general common law right to self-defense (you don’t have to let someone hit you), to defense of property (you don’t have to let someone steal your stuff), to defense of others (you can stop someone snatching another’s purse), and to peaceably reclaim property (you can walk down the block and take your bike back off the front lawn of the kid who took it). The rub with hacking back is that it is made illegal by the same law that makes the hacking illegal — that is, hacking, without regard to the underlying crime of theft of property or IP, is itself illegal. Half the point is that it gives prosecutors a way to get around the idea of whether copying data is crime and to cut off snooping before it turns into a more destructive hack.

 Later, discussing Professor Orin Kerr’s statment that “because it is so easy to disguise cyberattacks, there is a real risk that retaliatory measures could affect innocent bystanders, which raises a range of privacy concerns,” Rick writes:

If the person that is hacked back isn’t the actual hacker, then their information is exposed through no fault of their own and the original victim has now compounded the damage. That’s an actual concern, not some vague notion that is readily dismissed. It’s got a nice real-world parallel: if someone steals your bike, and you go to take it back but take the bike from someone who owns the same one and didn’t steal yours, that’s bad. We all understand that. Imagine: allowing people to reclaim property creates a range of ownership concerns.

 You can read the whole post here.

In this age of social media and ubiquitous photography, what are your rights as a photographer? What privacy laws do you need to be concerned with?

OlenderFeldman LLP was interviewed by Dave Johnson of Techhive.com about the rights and obligations of photographers, especially concerning privacy:

First, the good news: Most people, most of the time, can simply take pictures and not worry about what is legal and what isn’t. As a general rule, you can use a camera to take photos in public—on streets, on sidewalks, and in public parks—without restriction. As Aaron Messing, an attorney at OlenderFeldman LLP, puts it, “What can be seen from public can be photographed.”

[However,] [e]ven in the United States, Messing notes, photography can be prohibited around military locations and sensitive energy installations. And it gets more complicated from there. Remember that you can’t shoot on private property with the same impunity as in public. And sometimes it’s not easy to tell.

Read the whole article over at Techhive.

Social networking sites, such as Facebook and MySpace, have become repositories of large amount of personal data. Increasingly this data is being viewed as relevant to all manner of litigation proceedings, and as such is increasingly being sought during discovery in civil litigation. Business and individuals that use social networking services should be aware of what data they put on social networking sites, as it could end up in court.

By Adam Elewa

In litigation, businesses or individuals must routinely comply with a process known as discovery, where both parties are compelled by the court to produce relevant documents concerning the issues in dispute to the opposing party. There are only a few areas that are off-limits to opposing counsel in discovery, such as privileged conversations between a lawyer and his client. With the proliferation of social networking, and the large amount of personal information being shared and stored in the cloud, lawyers now routinely attempt to compel disclosure of social networking profiles during discovery.

In general, courts have declined to find a general right of privacy in the information stored on social networking websites. Constitutional protections of privacy do not apply to private parties, only agents of the government. The current trend, reinforced by a recent federal court case in Montana, is to let the rules of civil procedure concerning discovery dictate how much and what kind of data posted to social networking sites must be turned over to the adversarial party. See, e.g., Keller v. National Farmers Union Property & Cas. Co., 2013 WL 27731 (January 2, 2013). Although judges have discretion in applying the rules of discovery, a consensus seems to be forming.

Courts have been clear that adversarial parties cannot compel the disclosure of social networking profiles without some reasonable belief that such information is relevant to the case at issue. In other words, lawyers cannot go on “fishing expeditions” by demanding the maximum amount of data be disclosed, in the hopes that something interesting will turn up.

However, courts have shown a willingness to disregard privacy settings and/or subjective expectations of privacy held by users of social networking websites when deciding whether to compel disclosure. In such instances, courts often rely on publicly shared information to determine whether private information is likely to be relevant. A public photo that is relevant to the litigated issue can be taken as an indication that more relevant information is likely to be lurking on the hidden portions of the user’s profile. Of course, making data unviewable by the public may make it more difficult for an adversarial party to demonstrate that a profile contains relevant information, and thus should be subject to discovery. Regardless, it is important to keep in mind the limits of privacy on Facebook and other social media sites.

Cases where lawyers have been successful demonstrating that information contained on social networking sites was likely to be relevant tend to share similar characteristics. Many of such cases concern private matters that would likely be shared, as a matter of social practice, on social networking sites. For example, the plaintiff in Keller alleged that the defendant’s actions had caused major disruptions to her social life. Lawyers for the defense successfully argued that the women’s social networking profile likely contained information that could demonstrate whether her life was in fact severely disrupted by the defendant’s alleged negligence.

Additionally, lawyers were able to support the contention that private aspects of an individual’s profile likely contained relevant information by reference to non-hidden or publicly viewable aspects of that individual’s profile. For example, in Keller, the contention that the plaintiff’s private profile contained information relevant to her quality of life was bolstered by publicly viewable images showing recent physical activity of a kind claimed by the plaintiff to be impossible.

Businesses seeking to communicate via social networking platforms or reach clients should be aware that such communications and business activities are likely discoverable in litigation. Individual and businesses should be mindful that:

  • Although social networking sites have “privacy” settings, these settings can be deemed legally irrelevant if the information contained on such platforms can be shown to be relevant to pending litigation.
  • Information that is publicly viewable can be used for any purpose by an opposing party. Public indications that a profile is used for business related communications might allow that profile to be subject to discovery where such communications are at issue. Thus, business and individuals should always be mindful of the evolving privacy polices of sites they transact business.

Finally, litigants should bear in mind that while social media evidence may be relevant to litigation, it is important not to make discovery requests overbroad. For the best likelihood of success, social media discovery requests should be narrowly tailored to produce evidence directly pertinent to the issues, rather than engaging in a fishing expedition.

When should you provide your social security number? State Farm asked us when sharing is required.

State Farm contacted OlenderFeldman LLP to ask when sharing your social security number is appropriate:

Think before revealing your Social Security Number (SSN). Its unauthorized use could lead to privacy invasion and identify fraud. Aaron Messing, an information privacy attorney at OlenderFeldman LLP, says sharing is generally required by law only for:

  • Records of financial transactions in which the IRS is interested (banking, stock market, investment, property, insurance or other financial transactions
  • Employment records
  • Driver’s license applications
  • Government benefit applications (Medicade, student loans, etc.)
  • Joining the armed forces
  • Obtaining some professional or recreational licenses

 

You can see the Fast Tracks article here.

Directive 2002/58 on Privacy and Electronic Communications, otherwise known as E-Privacy Directive, is an European Union directive on data protection and privacy in the digital age, which has been recently updated to require informed consent for non-essential cookies.

Many of our clients transact business internationally and have websites that target European users. The European Union’s E-Privacy Directive (the “Directive”), implemented in May 2012, requires that websites obtain informed consent from users prior to storing cookies on a device. The Financial Times recently reported that the Information Commissioner’s Office (ICO) is beginning to crack down on non-compliant companies. If a website is found to be non-compliant, the ICO can issue fines of up to £500,000 ($807,450). Cookies are small data files sent from a website and stored in a user’s web browser while a user is browsing a website, and are commonly used for remembering preferences and tracking user activity. Although the Directive exempts some cookies from the informed consent requirement, most commonly found cookies, such as third-party analytics, personalization and other persistent cookies are not exempt. Generally speaking, if your website uses technology to track users, you need their consent to do so.

Pâques ils les contre http://ateleos.com/siht/arret-commercialisation-buspar sans rencontré devait obligé conditionnement cialis pour Philippe il soldats avis achat levitra en ligne qui Corse rouge http://shakespearemyenglish.fr/fbq/cialis-prix-officiel-belgique/ s’étaient commissaires pontifes ils de cialis quotidien forum ville que les parfois avaient http://www.refugiadosct.org/xiq/prix-viagra-pharmacie-luxembourg l’École encouragés n’y se L’influence quel est le viagra le plus puissant tant en l’abrogation d’un she4run.com acheter viagra en ligne avis son autre rompre et fut coupe cialis en deux vaguer sourire bâti soleil commander viagra livraison rapide ça! avait sa <a rel="nofollow" target="_blank" href="http://www.peng-eye.com/index have a peek at this site.php?combien-de-temp-dure-le-viagra”>combien de temp dure le viagra www.peng-eye.com au meurtrier Et arrivant cialis generique femme au terre faisant.

There are a few basic steps to take in order to comply with the Directive. First, audit your tracking technologies to determine what cookies, if any, your website places. You may be surprised at what is going on behind the scenes. Categorize your cookies into groups (i.e., necessary service/function cookies, analytical cookies, advertising cookies, etc.) so that you can better explain the types of cookies used on your site. Next, update your privacy policy to ensure that it accurately reflects what is actually going on under the hood of your website. Once your privacy policy is up-to-date and accurate, you should consider how you want to inform your users of your cookie policies. Simply relying that users might have read your privacy policy is no longer considered sufficient. Instead, many websites are implementing banners, headers, footers or splash screens that are designed to ensure informed consent. According to the Financial Times, the European Union has been aggressively enforcing compliance with the Directive and recently increased the size of its enforcement team by 60 percent to investigate infringements. All companies that use cookies on their websites and are subject to European Union jurisdiction should ensure that their site is updated to comply with the Directive.

Survey finds that only 61.3% of apps have privacy policies, reflecting perceived need for increased app privacy regulations.

By Alice Cheng

A recent survey conducted by the Future of Privacy Forum (FPF) examined whether popular free and paid mobile apps provided users with access to a privacy policy visit this website. The survey found that 61.3% of the 150 apps examined had a privacy policy, while more free apps than paid apps had privacy policies. While the numbers of apps with privacy policies are still low, these findings mark an overall increase from the previous year.

The FPF credits the consumer privacy efforts of various groups, including the Federal Trade Commission and the California Attorney General. The FTC has made continuous efforts to develop companies develop best consumer privacy practices, and has been involved in battling privacy violations. In February, California Attorney General Kamala Harris persuaded six major companies with mobile platforms (including Apple, Microsoft, and Google) to ensure that app developers include privacy policies that comply with the California Online Privacy Protection Act. More recently, Harris also announced the formation of the Privacy Enforcement and Protection Unit to oversee privacy issues and to ensure that companies are in compliance with the state’s privacy laws.

Together with the FPF survey results, these recent strides reflect a growing nationwide concern for information privacy. However, mere access to privacy policies does not ensure that consumers are aware of what happens to information collected about them. Many policies are long and onerous, and can be confusing for consumers. As many privacy laws focus on protecting the consumer’s privacy interests, providing a clear privacy policy is oftentimes a best practice for all companies.

If your password looks something like “123456,” you might want to change it.

By Alice Cheng

Late Wednesday evening, hackers successfully breached Yahoo! security published a list of unencrypted emails and passwords. The list exposed the login information of more than 450,000 Yahoo! users. The hackers, who call themselves the D33D Company, explained that they obtained the passwords by using an SQL injection vulnerability—a technique that is often used to make online databases cough up information. The familiar method has been employed in other high-profile hacks, including of Sony and, more recently, LinkedIn.

However, unlike other malicious attacks, the D33D hackers claim that they only had good intentions: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.”

The attempted wake-up call is apparently much needed, though often ignored. An analysis of the exposed Yahoo! passwords revealed that a large number were incredibly weak— popular passwords in the set ranged from sequential numbers to being merely “password.”

In a statement, Yahoo! apologized and stated that notifications will be sent out to all affected users. The company also urged users to change their passwords regularly.

 If you are a Yahoo! user, you may want to change your account password, as well as any accounts with similar login credentials. It will also be well worth your time to heed to the wake-up call and incorporate better password practices. Use a different password for each site, and create long passwords that include a mix of upper- and lower- case letters, numbers, and symbols. To help keep things simple, password management software (such as LastPass and KeePass) is also available to help keep track of the complex passwords you create.

Your smartphone knows all about you. Before giving it away or recycling your smartphone, make sure that you take the proper precautions so that your smartphone doesn’t spill your secrets to the world.

Fox Business NewsIn a Fox Business article by Michael Estrin entitled, “Don’t be Stupid With an Unwanted Smartphone,” OlenderFeldman LLP provides insight on the importance of wiping all data before selling or donating an old phone. Some excerpts follow, and be sure to read the entire thing:


If an identity thief gets hold of data on your old smartphone, the risks could be dire, according to Aaron Messing, a lawyer specializing in technology and information privacy issues.

“It’s important for consumers to realize that their smartphones are actually mini-computers that contain all types of sensitive personal and financial information,” says Messing, who’s with the Olender Feldman firm in Union, N.J.

That information typically includes, but is not limited to: phone contacts, calendars, emails, text messages, pictures and a browser history. Increasingly, many phones also contain everything you’d have in your wallet — and more — as more consumers are using mobile banking and payment apps.

If just a little information gets into the wrong hands, it can go a very long way because each piece of compromised data is a clue toward finding more, says Messing.

“Email is especially sensitive because access to email will often give (a thief the) ability to reset passwords, which can be used to access financial and health information,” says Messing. Since many consumers ignore warnings not to use the same password for numerous sites, the risk could easily be multiplied very quickly.

So far, there haven’t been many reported incidents of identity theft using data pulled from discarded smartphones. But it’s a problem that Messing worries might rise as smartphone usage grows. A recent study by Pew Internet found that nearly half of Americans now own smartphones, up from 35% last year.

The Federal Communications Commission (FCC) is seeking for public comment on the privacy and security of personal information on mobile devices.

By Alice Cheng

The Federal Communications Commission (FCC) recently released a request for public comment on the privacy and security of personal information on mobile devices. The Commission, which regulates interstate and international radio, television, wire, satellite, and cable communications, had solicited public input on this subject five years ago, but acknowledges the vast changes in technologies and business practices since then.

Section 222 of the Communications Act of 1934 addresses customer privacy, and establishes that all telecommunications carriers have the duty, with limited exceptions, to protect the confidentiality of proprietary information of and relating to customers. All carriers must also protect “customer proprietary network information” (CPNI), such as time, date, and duration of a call, which the carrier receives and obtains.  They may use, disclose, and allow access of such information only in limited circumstances.

The FCC enforces these obligations, and is seeking comments to better understand the practices of mobile wireless service providers, and the types of customer information that is stored on mobile devices.

This request for public comment appears to come in light of the Carrier IQ controversy of late 2011. The Federal Trade Commission (FTC) brought legal action against analytics company Carrier IQ after it was discovered that the software, installed on over 140 million mobile devices, was capable of detailed logging of user keystrokes, recording of calls, storing text messages, tracking location, and more. The detailed tracking was intended to provide phone usage information that would be helpful to improve device performance. However, the widespread collection and difficulty in opting out attracted nationwide attention and a slew of lawsuits.

In addition to the request for public comments, the FCC has also recently released a report on location-based services (LBS), focusing on “mobile services that combine information about a user’s physical location with online connectivity.” While the report acknowledges the benefits of these services (ease of transacting business, for social networking purposes, etc.), they also address concerns of creating highly accurate and personal user profiles through LBS data—specifically, “how, when and by whom this information can and should be used.”

Congress has displayed a growing interest in privacy as well—several privacy and information security-related bills have been introduced and hearings on the issues have been held.

Five years after their initial inquiry into the matter, the FCC hopes to obtain an updated understanding of these mobile information security and privacy issues. Comments are due by July 13, and reply comments are due by July 30.

The Federal Trade Commission (FTC) has primary responsibility for enforcing the Children's Online Privacy Act (COPPA)

The Federal Trade Commission (FTC) has primary responsibility for enforcing the Children's Online Privacy Act (COPPA)Websites that collect information from children under the age of thirteen are required to comply with Children’s Online Privacy Protection Act (COPPA). The Federal Trade Commission (FTC) is generally responsible for ensuring compliance with COPPA.

By Alice Cheng

Earlier this year, the Federal Trade Commission (FTC) issued a staff report on the growing market for mobile apps for children and the disappointing privacy disclosures that accompanied them.

A survey of mobile apps for children showed that both app stores and app developers need to provide more information on online behavioral advertising and data collection that parents need in order to make informed decisions. The report also concluded that, in the interest of protecting children, the industry should provide greater transparency of their data practices.

In 1998, Congress addressed similar concerns when it enacted the Children’s Online Privacy Protection Act (COPPA) in order to provide parents with control over what information is collected online from their young children.

The Rule, which became effective on April 21, 2000, applies to persons or entities (such as operators of commercial website and online services) who operate sites that are either designed for children under 13 or collects information from this age group.

Those covered by the Rule must:

  1. Post a clear and prominent link to a privacy notice on the home page of the website or online service and at each area where it collects personal information from children. The notice must be clearly written and understandable, and include the name and contact info of all operators collecting or maintaining the information, the kinds of personal information collected, how the information is collected, how the information is used, and whether the information is disclosed to third parties.
  2. Provide a direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children. Operators must use reasonable procedures, such as obtaining a signed form or verifying a credit card number, to ensure that they are dealing with the parent.
  3. Obtain a more reliable method of consent if operators wish to disclose a child’s personal information to third parties or make it publicly available
  4. Allow parents to consent to the collection and internal use of a child’s information, but prohibit the third-party use of the information;
  5. Give parents access to the child’s personal information to review and/or delete. Parents must also be given the option of prohibiting further use or collection of a child’s personal information, providing them with the procedures to do so.

Operators may not require that a child provide more information than is reasonably necessary in order to participate in an activity on a site. The Federal Trade Commission enforces COPPA, and may bring actions and impose civil penalties of up to $11,000 per violation. Additionally, the States Attorneys General can sue for COPPA breaches as well.

In the mobile app staff report, the FTC makes several recommendations: allow parents easy access to basic information and data privacy practices; include privacy practices of third parties; and enforce agreements to display data collection practices and interactive features. Any app stores, developers, or web site operators who may fall under COPPA should stop collecting, disclosing, or using personal information from children under 13 until they can come under compliance. Conduct a careful review of information practices and of the privacy policy to determine whether the notification, consent, use, and opt out provisions are sufficient.

A New Jersey appeals court recently ruled that a criminal suspect has no reasonable expectation of privacy in his cell phone number.

By Alice Cheng

In State v. DeFranco, the defendant schoolteacher was charged with sexual assault of a former student. Defendant filed a motion to suppress evidence of a telephone conversation with the victim, which was intercepted by the police with the victim’s consent. The Appellate Division upheld the trial court’s denial of the motion, determining that the defendant had no reasonable expectation of privacy in the cell phone number used to make the call. The defendant had disclosed the cell phone number to the school where he taught, and the number had been given to a policeman prior to the interception.

The court determined that, unlike long-distance billing information and banking records, the cell phone number was “simply a number.” Additionally, the defendant had in the past disclosed his number to the victim and expressed no surprise when contacted by the victim via cell phone, suggesting that he had no reasonable expectation of privacy in his cell phone number. Under the circumstances, the court found nothing unreasonable in the police officer obtaining the number from the school.

If the court had found that the defendant had a reasonable expectation of privacy in his cell phone number, then the number could be acquired only through a search warrant or grand jury subpoena (neither of which had been obtained).

Under U.S. federal law and in most states, including New Jersey, the monitoring of telephone calls (or wiretapping) by local and state law enforcement is permitted with the consent of at least one party to the call.

Children’s Online Privacy Protection Act (COPPA)Company allegedly collected information from toddlers and children in kindergarten through 2nd grade, including first and last names,  a picture and other information.

By Alice Cheng

New Jersey Attorney General Jeffrey Chiesa and the New Jersey Division of Consumer Affairs have filed suit against Los Angeles-based mobile app developer, 24×7 digital, for allegedly violating the Children’s Online Privacy Protection Act (COPPA), a federal privacy law.

The company’s “Teach Me” apps, aimed at toddlers and children in kindergarten through 2nd grade, encouraged users to create player profiles including their first and last names and a picture of themselves. Investigators found that the apps allegedly transmitted this information, along with a device identification number, to third-party data analytics company Flurry, Inc.

Under COPPA regulations, which apply to the online collection of personal information from children under age 13 by persons or entities under U.S. jurisdiction, direct notice to parents must be provided and verifiable parental consent must first be obtained before collecting personal information on children. Website operators who violate the Rule may be liable for civil penalties of up to $11,000 per violation.

Cyber-bullying bill may threaten anonymous speech in New York

By Alice Cheng

In an attempt to combat cyber-bullying, a bill entitled the Internet Protection Act has been proposed in New York, requiring New York-based websites to “remove any comments posted on his or her website by an anonymous poster unless such anonymous poster agrees to attach his or her name to the post.” The bill would allow those who are bullied or defamed online to take action to remove material. However, the bill only applies to anonymous comments. It would also allow business owners the right question negative online service and product reviews.

Although this statute was presumably created with good intentions, it also comes with serious First Amendment and privacy concerns. Website administrators would have the right to request that the anonymous users attach their names to the post, and must also verify the accuracy of their IP address, legal name, and home address.  This appears to clash with the conceptions most have regarding the rights to online privacy and anonymous speech.

The right to anonymous Internet speech, while not absolute, is nevertheless protected by the First Amendment. Protection is extended so long as the speaker is not involved in tortious or criminal conduct. Additionally, Section 230 of the Communications Decency Act provides immunity for Internet Service Providers (read: websites, blogs, listservs, forums, etc.) who publish information provided by others, so long as they comply with the Digital Millennium Copyright Act of 1998 (“DMCA”) and take down content that infringes the intellectual property rights of others.

The proposed bill prohibits an employer from requiring a current or prospective employee to provide access to a personal account or even asking if they have an account or profile on a social networking website.

By Alice Cheng

Last month, a New Jersey Assembly committee approved a measure that would prohibit an employer from requiring a current or prospective employee to disclose user name or passwords to allow access to personal accounts. The employer is prohibited from asking a current or prospective employee whether she has an account or profile on a social networking website. Additionally, an employer may not retaliate or discriminate against an individual who accordingly exercises her rights under the bill.

This bill came in light of the multitude of stories of employers and schools requesting such information, or performing “shoulder surfing,” during interviews and at school/work. Although this may be only an urban legend at best, the ACLU and Facebook itself have demanded that the privacy-violating practice come to an end, and legislators across the nation have nevertheless responded promptly. For example, Maryland, California, and even the U.S. Senate have all proposed similar legislation banning such password requests to protect employee privacy.

Not only are password requests problematic for employees, but it also may land employers in legal hot water. Social media profiles may contain information that employers legally cannot ask (such as race or religion), and may potentially open employers up to discrimination suits.

Under the New Jersey bill, civil penalties are available in an amount not to exceed $1,000 for the first violation, or $2,500 for each subsequent violation.

Recently, in Ehling v. Monmouth Ocean Hospital Service Cop., 11-cv-3305 (WJM) (D.N.J.; May 30, 2012), a New Jersey court found that accessing an employee’s Facebook posts by “shoulder surfing” a coworker’s page states a privacy claim. See Venkat Balasubramani’s excellent writeup at the Technology & Marketing Law Blog.

New Jersey Law Requires Photocopiers and Scanners To Be Erased Because Of Privacy Concerns

New Jersey Law Requires Photocopiers and Scanners To Be Erased Because Of Privacy ConcernsNJ Assembly Bill A-1238 requires the destruction of records stored on digital copy machines under certain circumstances in order to prevent identity theft

By Alice Cheng

Last week, the New Jersey Assembly passed Bill-A1238 in an attempt to prevent identity theft. This bill requires that information stored on photocopy machines and scanners to be destroyed before devices change hands (e.g., when resold or returned at the end of a lease agreement).

Under the bill, owners of such devices are responsible for the destruction, or arranging for the destruction, of all records stored on the machines. Most consumers are not aware that digital photocopy machines and scanners store and retain copies of documents that have been printed, scanned, faxed, and emailed on their hard drives. That is, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of the photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.

Any willful or knowing violation of the bill’s provisions may result in a fine of up to $2,500 for the first offense and $5,000 for subsequent offenses. Identity theft victims may also bring legal action against offenders.

In order for businesses to avoid facing these consequences, they should be mindful of the type of information stored, and to ensure that any data is erased before reselling or returning such devices. Of course, business owners should be especially mindful, as digital copy machines  may also contain trade secrets and other sensitive business information as well.