The U.S. District Court for the Southern District of California recently granted class certification in a Song-Beverly Credit Card Act case, refusing to exclude from the class individuals who joined the retailer's rewards program months after the alleged Song-Beverly violation. See Yeoman v. IKEA U.S. West, Inc., No. 11CV701, 2012 WL 1598051 (S.D. Cal. May 4, 2012). The Court's discussion suggests that a retailer may also face Song-Beverly liability even if it requests personal information at the register that it already holds by virtue of the customer's membership in its rewards program.
The Federal Trade Commission announced today that Teletrack, Inc. has agreed to pay $1.8 million to settle charges that the company sold credit reports for marketing purposes, in violation of the Fair Credit Reporting Act (FCRA). According to the FTC's complaint, Teletrack sells credit reports and other services to businesses that mainly serve financially distressed consumers. Teletrack's business customers include pay day lenders, rental purchase stores and non-prime rate auto lenders. These businesses use Teletrack's credit reports to decide whether and on what terms to extend credit to their customers.
Mr. Kwang Hyun Ryoo, a partner at the Korean law firm of Bae, Kim & Lee LLC, is reporting in the firm's newsletter that on March 29, 2011, Korea enacted a comprehensive personal data protection law, entitled Personal Information Protection Act (PIPA). Most of the act's provisions will come into force on September 30, 2011.
On May 3, 2011, the Federal Trade Commission announced that Ceridian Corporation and Lookout Services, Inc. agreed to settle the FTC's allegations that the companies failed to safeguard their business customers' employee personal information. Ceridian's services include payroll processing, payroll-related tax filing, benefits administration and other human resource services for business customers. Lookout provides a web-based computer product that is designed to help employers comply with their obligations under federal law to complete and maintain a U.S. Citizenship and Immigration Services Form I-9 about each employee in order to verify that the employee is eligible to work in the United States.
In what may be a sign of an evolving judicial atmosphere and approach concerning data breach lawsuits, a Federal judge in the Northern District of California District Court recently refused to dismiss various causes of action related to a data breach involving RockYou. In particular, the Court explored the issue of whether the plaintiff sufficiently alleged "harm" arising out of the data breach. This blog post takes a look the highlights of the Court's decision.
The Google Buzz settlement that the Federal Trade Commission announced on March 30, 2011 is the latest in the line of the Commission's numerous Section 5 actions related to privacy and data security violations. The Google Buzz settlement, however, is unique in several important ways. The settlement represents (i) the first FTC settlement order has requires a company to implement a comprehensive privacy program to protect the privacy of consumers' information, and (ii) the Commission's first substantive U.S.-EU Safe Harbor framework enforcement action. Let's dive in (make sure to read the "Action Item" at the conclusion of the post!).
On March 18, 2011, the Oklahoma State House passed the Electric Utility Data Protection Act (House Bill 1079). The state's Senate will consider the bill next.The Act seeks to establish standards to govern the use and disclosure of electric utility usage data (including personal information) by electric utilities, customers of electric utilities and third parties. The Act also requires electric utility companies to maintain the confidentiality of customer data and allow customers to access the data. State Rep. Scott Martin noted that customers will see energy savings from the Smart Grid, but are vulnerable to potential access of their data by third parties. "This legislation should ensure customers can reap the many benefits of this new system without having to fear someone getting access to their data without permission," said Martin. The legislation is said to have the support of the Oklahoma Gas & Electric Company, which has already converted 100,000 standard meters to smart meters in the state and plans to install 800,000 smart meters in the next two years.
On February 12, 2011, the American Bar Association Information Security Committee established the Smart Grid Privacy and Security Working Group. The working group's mission is to increase awareness regarding privacy and information security legal issues arising in connection with the Smart Grid among consumers, regulators, utilities, service provider and other stakeholders. Gib Sorebo, Chief Cybersecurity Technologist at SAIC, and Boris Segalis, partner at InfoLawGroup, will co-chair the group.
The California Supreme Court ruled Thursday, in Pineda v. Williams-Sonoma, that zip codes are "personal identification information" for purposes of California's Song-Beverly Credit Card Act, California Civil Code section 1747.08. Really.
On February 1, 2011, the Department of Energy announced the launch of the Cyber Security Initiative to develop cyber security risk management process guidelines for the electric grid. The Department's Office of Electricity Delivery and Energy Reliability will lead the effort in collaboration with the National Institute of Standards and Technology and the North American Electric Reliability Corporation.
On December 1, 2010, the Federal Trade Commission issued a preliminary report entitled "Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers". The report proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services.
Yesterday, Mississippi Governor Haley Barbour approved Mississippi's first breach notification law, House Bill 583, leaving only four states without a notification law (Alabama, Kentucky, New Mexico, and South Dakota). Here are the most important basics of the Mississippi law.
We are seeing more and more private litigation and regulatory enforcement actions around the issue of what constitutes "reasonable security." This week we see another. Once again the FTC asserts that a company has failed to take "reasonable and appropriate security measures" to protect personal information. Yesterday, in its 27th case challenging inadequate data security practices by organizations that handle sensitive consumer information, the FTC announced settlement of its complaint against Dave & Buster's, the restaurant chain. The FTC alleged in its complaint that, from April 30, 2007 to August 28, 2007, a hacker exploited vulnerabilities in Dave & Buster's systems to install unauthorized software and access approximately 130,000 credit and debit cards.
Today's New York Times Media Decoder Blog features an "on-the-record" discussion with Federal Trade Commission chairman Jon Leibowitz and Bureau of Consumer Protection chief David Vladeck. The question presented: "Has Internet Gone Beyond Privacy Policies?" The FTC (and Congress, for that matter) continue to signal that change may be imminent in the world of online privacy policies and traditional notions of opt-out consent.