Search right to access

Many companies have experienced the departure of an employee and the elimination of that former employees access to the company’s computers and networks. In the recent case of USA v. Nosal, D.C. No. 3:08-cr-00237-EMC-1 (July 5, 2016), the Ninth Circuit Court of Appeals was presented with the following facts:  Nosal, a former employee of Korn/Ferry departed and launched a competitive entity.  When Nosal left the company, the company revoked his computer access credentials.  After his departure, Nosal was nevertheless able to continue accessing the company’s confidential and proprietary information when his former secretary provided Nosal with her database access credentials.  In Nosal, the question for the court was whether the jury properly convicted David Nosal of the crime of conspiracy under the Computer Fraud and Abuse Act (“CFAA”) for accessing and downloading information from the company’s database “without authorization.”  The Court in a 2-1 decision held that indeed Nosal violated the criminal provisions of CFAA even though he did not himself access and download the information.

The CFAA prohibits access to a computer or computer system by ones who are either exceeding authorized use or are not authorized users.  18 U.S.C. § 1030.  The applicable section of the CFAA addressed in the Nosal case provides that:

Whoever . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct further the intended fraud and obtains anything of value. . .shall be punished. . . . .

The prosecution successfully argued that after Nosal left the company, he lacked any rights to use the company’s network.  Because he lacked rights to access the network, the use of the secretary’s login credentials violated the CFAA’s ban on access “without authorization.” The court found that Nosal violated the CFAA because he “knowingly and with intent to defraud blatantly circumvented the affirmative revocation of his computer access.  This access falls squarely within the CFAA’s prohibition on access ‘without authorization’ and thus we affirm Nosal’s conviction for violations of . . . the CFAA.”

But, what about the fact that a person who did have authorization – Nosal’s secretary – granted Nosal permission to access the database?  On this point, the court stated that access:

‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.

The court further stated that an “employee could willy nilly give out passwords to anyone outside the company – former employees whose access had been revoked, competitors, industrious hackers, or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery.”

As a result of this decision, some privacy groups have expressed concern that the court’s ruling could make it easier to prosecute people for ordinary password sharing, such as when a husband logs into his wife’s Facebook account with her credentials and permission, or to print a boarding pass.

However, the majority addressed this concern square on stating that “hypotheticals about the dire consequences of criminalizing password sharing. . . miss the mark in this case.  This case is not about password sharing” and noted that the case “bears little resemblance to asking a spouse to log in to an email account to print a boarding pass.”

While this decision involved a criminal prosecution, with which most companies would not be involved, it is still worthy of consideration for employers.  Many employers have some form of agreement in place that would make accessing the company’s database after termination a violation.  In light of Nosal it would be prudent for a company to also include in its policies and agreements what is seemingly obvious – prohibit current employees from providing their passwords to former employees.  At least with this statement in writing, the company will have (1) a basis upon which to take appropriate disciplinary action – including termination – against the current employee who provided their password to a former employee, and (2) the ability to commence a civil legal action against the former employee under the CFAA.

As everyone is aware, the Pokémon GO craze has taken the world by storm in the past month. Reports estimate there have been over 75 million downloads of the digital game since the program became available on July 6.  Apple has not issued any concrete numbers, but has confirmed that it was the most downloaded app ever in its first week of availability.

When the game was first offered, users were required to grant permission not only to use a player’s smartphone camera and location data but also to gain full access to the user’s Google accounts — including email, calendars, photos, stored documents and any other data associated with the login. The game’s creator, Niantic, responded to a public outcry – including a letter from Minnesota Senator Al Franken – stating that the expansive permission requests were “erroneous” and that Pokémon GO did not use anything from players’ accounts other than basic Google profile information.  The company has since issued a fix to reduce access only to users’ basic Google account profile information.

As is often the case, remarkable success naturally attracts critics who take aim. In a letter dated July 22, 2016, the Electronic Privacy Information Center (EPIC) wrote to the Federal Trade Commission (FTC) requesting government oversight on Niantic’s data collection practices. EPIC is a non-profit public interest research center in Washington, D.C., focusing public attention on privacy and civil liberties issues.

Niantic’s Privacy Policy

EPIC’s letter highlighted a number of alleged issues with Niantic’s privacy policy:

  1. Niantic does not explain the scope of information gathered from Google profiles or why this is necessary to the function of the Pokémon GO app.
  2. Niantic collects users’ precise location information through “cell/mobile tower triangulation, wifi triangulation, and/or GPS.” The Company’s Privacy Policy states Niantic will “store” location information and “some of that location information, along with your … user name, may be shared through the App.” The Privacy Policy does not indicate any limitations on how long Niantic will retain location data or explain how indefinite retention of location data is necessary to the functionality of the Pokémon GO app.
  3. With Pokémon GO, Niantic has access to users’ mobile device camera. The Terms of Service for Pokémon GO grant Niantic a “nonexclusive, perpetual, irrevocable, transferable, sublicensable, worldwide, royalty-free license” to “User Content.” The Terms do not define “User Content” or specify whether this includes photos taken through the in-app camera function.
  4. The Pokémon GO Privacy Policy grants Niantic wide latitude to disclose user data to “third-party service providers,” “third parties,” and “to government or law enforcement officials or private parties as [Niantic], in [its] sole discretion, believe necessary or appropriate.” Niantic also deems user data, including personally identifiable information, to be a “business asset” that it can transfer to a third party in the event the company is sold. This issue has been identified as a particular concern to another non-profit organization – Common Sense Media, an independent non-profit organization focusing on children and technology. According to Common Sense Media, location information and history of children should not be considered a “business asset.”

EPIC’s Request to the FTC

Based on the issues highlighted above, EPIC requested that the FTC use its authority to regulate unfair competition under the Federal Trade Commission Act (15 U.S.C. § 45) to prohibit practices by Niantic and other similar apps that fail to conform with FTC’s Fair Information Practices and the principles set forth in The White House 2012 report, “Consumer Data Privacy In A Networked World.”

According to EPIC, Niantic’s unlimited collection and indefinite retention of detailed location data, violates 15 U.S.C. § 45(n) because it is “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

EPIC also contends that the unlimited collection and indefinite retention of detailed location data violate the data minimization requirements under the Children’s Online Privacy Protection Act (COPPA), which requires providers to “retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” 16 C.F.R. § 312.10.

Private Lawsuit Filed Against Niantic

Subsequently, a Pokémon GO user has filed suit in Florida State Court alleging that the terms of service and privacy policy are deceptive and unfair, which violates the Florida Deceptive and Unfair Trade Practices Act. Beckman v. Niantic Inc., case number 50-2016-CA-008330, Fifteenth Judicial Circuit for Palm Beach County, Florida.

Practice Pointer

The issue of consumer privacy continues to garner significant attention. Whether you are an app developer or any other company that collects and retains personal information, it is time to review your applicable policies and take appropriate steps to ensure that your company is not the subject of government agency inquiry, litigation, or a data breach.

For employers whose employees may be bumping into each other in the hallway while playing the game, consideration should be given to ban or otherwise regulate employee involvement. Certainly a drop in productively is a concern. However, even if accessing the game during work time is barred, employers should be concerned about the potential compromise to proprietary and confidential information that could occur as the result of data breaches or through counterfeit games that are designed to allow hackers access to your protected information.

For years, many questioned whether the HIPAA privacy and security rules would be enforced. The agency responsible for enforcement, Health and Human Services’ Office for Civil Rights (OCR), promised it would enforce the rules, but just after a period “soft” enforcement and compliance assistance. That period appears to be ending. During the first seven months of 2016, OCR has announced nearly $15,000,000 in settlement payments to the agency relating to a wide range of compliance failures alleged against covered entities and business associates. At the same time, OCR is conducting audits of covered entities around the country, and plans similar audits of business associates later this year. If you have been waiting to tackle HIPAA compliance, it is probably a good time to get it done.

Below is a summary of the circumstances that led to some of the settlements and civil monetary penalties:

  • Stolen laptop, vulnerable wireless access. Following notification to OCR of a breach involving a stolen laptop (not an uncommon occurrence!), OCR investigated and reported discovering that electronic protected health information (ePHI) on the covered entity’s network drive was vulnerable to unauthorized access via its wireless network – users could access 67,000 files after entering a generic username and password. OCR also cited among other things failures to implement policies and procedures to prevent, detect, contain, and correct security violations, to implement certain physical safeguards. Settlement $2.75M
  • Vulnerabilities identified must be timely addressed. In another case, a covered entity had conducted a number of risk analyses since 2003, but the OCR claimed these analyses did not cover all ePHI at the entity. OCR also reported that the covered entity did not act timely to implement measures to address documented risks and vulnerabilities, nor did it implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure, despite having identified this lack of encryption as a risk. Settlement $2.7M.
  • Not-for-profits serving underserved communities not immune. A data breach affecting just over 400 persons caused by the theft of a company-issued iPhone triggered an OCR investigation. The iPhone was unencrypted and was not password protected, and contained extensive ePHI including SSNs, medical diagnosis, and names of family members and legal guardians. According to OCR, among other things, the covered entity had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. In its public announcement, OCR acknowledged that the $650,000 settlement was after considering that the covered entity provides unique and much-needed services to elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.
  • No business associate agreement. When a covered entity’s business associate experienced a breach affecting over 17,000 patients, OCR again investigated. It claimed no business associate agreement was in place, leaving PHI without safeguards and vulnerable to misuse or improper disclosure. Settlement $750,000.
  • Civil monetary penalties against home care provider. In only the second time OCR has sought civil penalties under HIPAA, a judge awarded $239,800 in penalties due to privacy and security compliance failures. In this case, a patient complaint led to an OCR investigation – the patient complained that an employee of the covered entity left PHI in places where an unauthorized persons had access and in some cases abandoned the information altogether. Other compliance issues included covered entity’s maintaining inadequate policies and procedures to safeguard PHI taken offsite, and storing PHI in employee vehicles for extended periods of time.

It is true that these are only a handful of cases with large settlement amounts. But the agency does seem to be sending a message – that is, it wants to see compliance and it is not afraid to seek significant settlement amounts from covered entities or business associates, large or small. In some cases, relatively simple steps such as making sure to have business associate agreements in place, can help avoid these kinds of enforcement actions.

Earlier today, the European Parliament passed a non-legislative resolution saying the EU Commission should go back to negotiating with the United States to remedy “deficiencies” in the proposed EU-U.S. Privacy Shield for EU citizens’ data which is transferred to the US for commercial purposes.

The resolution, which passed by a vote of 501-119, with 31 abstentions, acknowledged the efforts of the EU Commission and the US Administration to achieve “substantial improvements” in the Privacy Shield as compared to the EU-U.S. Safe Harbour which it is meant to replace.  However, the Members of the European Parliament (MEPs) voiced concerns about “deficiencies” including:

  • the US authorities’ access to data transferred under the Privacy Shield,
  • the possibility of collecting bulk data, in some cases, which does not meet the criteria of “necessity” and “proportionality” laid down in the EU Charter of Fundamental Rights,
  • the proposed US ombudsperson, a new institution that MEPs accept is a step forward, but believe to be neither “sufficiently independent”, nor “vested with adequate powers to effectively exercise and enforce its duty”, and
  • the complexity of the redress mechanism, which the Commission and US administration need to make more “user-friendly and effective.”

The MEPs called on the European Commission to conduct periodic “robust reviews” of its decision that Privacy Shield protections are adequate, particularly in the light of the new EU data protection rules which are to take effect in two years.

Parliament’s resolution follows, and largely supports, the April 13, 2016, opinion of the Article 29 Working Party on the Privacy Shield.   While the European Parliament’s resolution and the Article 29 Working Party’s opinion are not binding on the European Commission, both the resolution and opinion raise serious doubts as to when, if at all, the thousands of companies who relied on the invalidated EU-U.S Safe Harbour will ever be able to rely EU-U.S. Privacy Shield for their data transfer needs.

On March 24, 2016, Tennessee’s breach notification statute was amended when Governor Bill Haslam signed into law S.B. 2005.

Under the amendment, notification of a data breach must now be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement).  Previously, and like the vast majority of states, Tennessee’s statute required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay.  Florida, like the Volunteer State, previously amended its breach notification statute to also require notification within a set time period.

Perhaps even more important than the specific timing requirement for notice, S.B. 2005 also amends Tennessee’s statute to remove the provision in the existing statute requiring notice only in the event of a breach of unencrypted personal information.  Accordingly, by expanding this provision, it appears Tennessee will be the first state in the country to require breach notification regardless of whether or not the information subject to the breach was encrypted.

Lastly, the bill also amends the statute to specify an “unauthorized person” includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose.  This amendment is likely focused on entities which failed to provide notification of data incidents which were the result of improper access by employees.

The law takes effect July 1, 2016.

The Consumer Financial Protection Bureau (“CFPB”) gave the fintech online payment sector a “wake up call” with an enforcement action against a Des Moines start up digital payment provider, Dwolla, Inc. (“Dwolla”).

The CFPB alleged that Dwolla misrepresented how it was protecting consumers’ data. Dwolla entered into a Consent Order to settle the CFPB charges and agreed to pay a $100,000 penalty and to change and improve its current security practices.  The CFPB never alleged that Dwolla had breached any consumer data.  According to the CFPB, Dwolla “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” while telling consumers that the information was “securely encrypted and stored.”  Dwolla, had over 650,000 customer accounts and was transferring as much as $5M a day in 2015.

In a nutshell, the CFPB alleged that Dwolla’s representations regarding “securely encrypted and stored data,” were inaccurate for a number of specific reasons including:

  • Failing to implement appropriate data security policies and procedures until at least September 2012,
  • Failing to implement a written data security plan until at least October 2013,
  • Failing to conduct adequate risk assessments,
  • Failing to use encryption technology to properly safeguard consumer information,
  • Failing to provide adequate or mandatory employee training on data security, and
  • Failing to practice secure software development for consumer facing applications

In addition to the fine, Dwolla agreed to take preventative steps to address security concerns including:

  • Implementing a comprehensive data security plan,
  • Conducting data security risk assessments twice annually,
  • Designating a qualified individual to be accountable for data security issues,
  • Implementing appropriate data security policies and procedures,
  • Implementing an appropriate and precise method of customer identity authentication before any funds transfer,
  • Adopting specific procedures for the selection and retention of service providers capable of maintaining security practices,
  • Conducting regular and mandatory security data training, and
  • Obtaining an annual data security audit from an independent, third party acceptable to CFPB’s enforcement director.

The Consent Order will remain in effect for five (5) years.

This is the CFPB’s first enforcement action directly related to data security and appears to expand the CFPB’s jurisdiction into this arena. In the CFPB press release Director Richard Cordray stated, “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing.  It is crucial that companies put systems in place to protect this information and accurately informed consumers about their data security practices.”

This virgin enforcement action by the CFPB appears to be a direct response to the growing concern about the lack of regulation for fintech digital payment firms. The enforcement action is also a welcome signal to traditional banks who have argued that the fintech sector has not received near the level of oversight or enforcement as they have.  It appears regulators are attempting to find the right balance between acting too “heavy handed” and not squelching the technical advances that have made finance more convenient for consumers while still insuring an adequate level of consumer protection.

Earlier today, the European Commission (the Commission) issued a draft “adequacy decision” as well as the texts that will constitute the EU-U.S. Privacy Shield (the Privacy Shield). This includes the Privacy Shield Principles companies have to abide by, as well as written commitments by the U.S. Government on the enforcement of the arrangement, including assurance on the safeguards and limitations concerning access to data by public authorities.

An “adequacy decision” is a decision, adopted by the Commission, which establishes that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law and international commitments.  The practical effect of such a decision is that personal data can flow from the 28 EU Member States (and the three European Economic Area member countries: Norway, Liechtenstein and Iceland) to that third country, without any further restrictions.  Once adopted, the Commission’s adequacy finding establishes that the safeguards provided when data are transferred under the new Privacy Shield are equivalent to data protection standards in the EU.

In the Commission’s press release, Commissioner Jourová said:

Protecting personal data is my priority both inside the EU and internationally. The EU-U.S. Privacy Shield is a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds. Also, now that President Obama has signed the Judicial Redress Act granting EU citizens the right to enforce data protection rights in U.S. courts, we will shortly propose the signature of the EU-U.S. Umbrella Agreement ensuring safeguards for the transfer of data for law enforcement purposes. These strong safeguards enable Europe and America to restore trust in transatlantic data flows.

As we previously discussed, the Commission and the U.S. Department of Commerce reached agreement on February 2, 2016 for a new framework for transatlantic exchanges of personal data for commercial purposes, known as the Privacy Shield.  The Privacy Shield reflects the requirements set out by the European Court of Justice in its October 2015 ruling in Schrems which declared the old Safe Harbor framework invalid.

What are the main differences between the “Safe Harbor” arrangement and the EU-U.S. Privacy Shield?

According to the Commission, the Privacy Shield provides stronger obligations on companies in the U.S. to protect the personal data of Europeans. It requires stronger monitoring and enforcement by the U.S. Department of Commerce (DoC) and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities (DPAs).

The Privacy Shield will include:

  • Strong obligations on companies and robust enforcement: the new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply. The new rules also include tightened conditions for onward transfers to other partners by the companies participating.
  • Clear safeguards and transparency obligations on U.S. government access: the U.S. government has given the EU written assurance that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalized access.  The U.S. will also establish a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State, who will be independent from national security services. The Ombudsperson will follow-up complaints and enquiries by individuals and inform them whether the relevant laws have been complied with. These written commitments will be published in the U.S. federal register.
  • Effective protection of EU citizens’ rights with several redress possibilities: Complaints have to be resolved by companies within 45 days. A free of charge Alternative Dispute Resolution solution will be available. EU citizens can also go to their national Data Protection Authorities, who will work with the DoC and FTC to ensure that unresolved complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an enforceable arbitration mechanism. Moreover, companies can commit to comply with advice from European DPAs. This is obligatory for companies handling human resource data.
  • Annual joint review mechanism: that will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes.

How will the Privacy Shield work?

U.S. companies will register to be on the Privacy Shield List and self-certify that they meet the requirements.  This procedure has to be done each year. The US Department of Commerce will monitor and actively verify companies’ privacy policies are in line with the relevant Privacy Shield principles and are readily available. The U.S. will maintain an updated list of current Privacy Shield members and remove those companies that have left the arrangement. The DoC will ensure that companies that are no longer members of Privacy Shield must still continue to apply its principles to personal data received when they were in the Privacy Shield, for as long as they continue to retain such data.

What’s Next?

A committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision is issued. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms, and the new Ombudsperson mechanism.

The Commission has encouraged companies to begin their preparations so as to be in a position to join the Privacy Shield as soon as possible after it is in place following the adoption of the Commission decision.

The Privacy Shield requires action from many actors:

  • U.S. companies must fulfill their obligations under the framework in the full knowledge that it will be strictly enforced and they will be sanctioned if they are non-compliant.  Specifically, the Privacy Shield requires commitment to the following privacy principles: 1) Notice, 2) Choice, 3) Security, 4) Data Integrity and Purpose Limitation, 5) Access, 6) Accountability for Onward Transfer, and 7) Recourse, Enforcement and Liability. The Commission also encouraged companies to opt for EU DPAs as their chosen avenue to resolve complaints under the Privacy Shield and to publish transparency reports on national security and law enforcement access requests concerning EU data they receive.
  • U.S. authorities are entrusted with overseeing and enforcing the framework, respecting the limitations and safeguards as far as access to data for law enforcement and national security purposes is concerned, and those entrusted with responding in a timely and meaningful manner to complaints by EU individuals about the possible misuse of their personal data;
  • EU DPAs play an important role in ensuring that individuals can effectively exercise their rights under the Privacy Shield, including by channeling their complaints to the appropriate U.S. authorities, triggering the Ombudsperson mechanism, assisting complainants in bringing their case to the Privacy Shield Panel, as well as exercising oversight over human resources data transfers; and
  • The Commission is responsible for making a finding of adequacy and reviewing it on a regular basis.

For additional information, please visit the Commission’s page dedicated to the Privacy Shield.

We will continue to update the status of the Privacy Shield as we await the final decision.

Last week, California Attorney General, Kamala D. Harris – who has been mentioned as a potential nominee to fill Justice Antonin Scalia’s recently vacated seat on the U.S. Supreme Court – issued the California Data Breach Report (Report).  The Report provides an analysis of the data breaches reported to the California AG from 2012-2015.

The Report details that nearly 50 million records of Californians have been breached and the majority of these breaches resulted from security failures.  In fact, the Report explains that nearly all of the exploited vulnerabilities, which enabled the breaches, were compromised more than a year after the solution to address the vulnerability was publicly available.  According to Ms. Harris, “It is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”

Malware and hacking, physical breaches, and breaches caused by error have been the three most common types of breaches. Of the three, malware and hacking have been by far the largest source of data breaches, with 90% of all records breached by means of malware and hacking.  Physical breaches, resulting from the theft or loss of unencrypted data on electronic devices, were next most common, with heath care entities and small businesses most heavily impacted.  Breaches caused by error – such as mis-delivery of email and inadvertent exposure of information on the public Internet – ranked third.  Government entities made half of all such errors.

Under California law, “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the  nature of the information, to protect the personal information from unauthorized access, destruction, use,  modification, or disclosure.”  This requirement is important as the Report specifically states an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls (The Controls) constitutes a lack of reasonable security.

The Report goes on to discuss numerous findings and provide an analysis of the breach types, data types, and industry sectors impacted.  The Report concludes with recommendations which include:

  1. Reasonable Security:  The Standard of Care for Personal Information.  Implementation of The Controls mentioned above as a minimum level of information security (available as at Appendix A to the Report).
  2. Multi-Factor Authentication.  Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.
  3. Encryption of Data in Transit. Organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers.  This is a particular imperative for health care, which appears to be lagging behind other sectors in this regard.
  4. Fraud Alerts.  Organizations should encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this option very prominent in their breach notices. This measure is free, fast, and effective in preventing identity thieves from opening new credit accounts.
  5. Harmonizing State Breach Laws.  State policy makers should collaborate to harmonize state breach laws on some key dimensions. Such an effort could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections, and retaining jurisdictional expertise.

While the Report, and California’s existing law, are focused on protecting the personal information of California residents, it is important to remember California has continuously been at the forefront of data security legislation.  In fact, California was the first state to enact a data breach notification law in 2003, and since that time 46 other states have followed suit.  As such, it would not be surprising if other states consider the recommendations in the Report and implement similar requirements.

As NCAA basketball tournament season approaches, employers may be wondering if they can monitor employees at work to see how much time they are spending checking their brackets, or for other purposes. There are many reasons companies monitor employees, including boosting productivity, dissuading cyber-slacking or social “not-working,” protecting trade secrets and confidential business information, preventing theft, avoiding data breaches, avoiding wrongful termination lawsuits, ensuring that employees are not improperly snooping themselves, complying with electronic discovery requirements, and generally dissuading improper behavior.

Excessive, clumsy, or improper employee monitoring, however, can cause significant morale problems and, worse, create potentially legal liability for invasion of privacy under statutory and common law.  With new technology, there are more methods of monitoring than ever before.  Each has different limitations under the law.  Here are the top contenders in the bracket:

  1. Monitoring work email communications. Pros: generally lawful, effective. Notice requirements exist in some states (e.g. CT, DE).
  2. Monitoring internet usage. Cons: Often misleading, can be expensive.
  3. Monitoring social media. Cons: May violate state law regarding social media passwords or common law.
  4. Accessing employee cloud-based internet accounts by accessing and obtaining user name and password from a work computer. Cons: Likely to violate the federal Stored Communications Act.
  5. Tracking employee whereabouts by GPS (either a phone app or vehicle based device). Cons: Morale issues, may be invasion of privacy. (An employee in CA recently sued and reached a settlement with her employer after she was terminated for uninstalling a company-required 24-hour tracking app in her phone).
  6. Tracking employees with a Radio Frequency Identification Device (RFID). Cons: Expensive, strange, morale issues, some states (WI, ND, MO) explicitly prohibit employers from implanting chips in employees.
  7. Motion Sensors. Cons: The Daily Telegraph, a London-based newspaper, recently reversed a decision to install motion sensors at desks after employees cried Big Brother. (The employer claimed it was just seeking to monitor how many shared desks were used and not used).
  8. Video. Pros: Extremely effective in loss prevention and investigation of bad acts. Cons: Some notice requirements. Avoid cameras in changing areas, locker rooms, etc.
  9. Audio. Pros: Also effective in obtaining and preserving certain types of evidence. State wire-tap laws apply.
  10. Physical searches. Pros: Sometimes necessary, little or no expense. Cons: May violate common law right of privacy depending on circumstances.
  11. Obtaining health or fitness information. Cons: May violate the Genetic Information Nondiscrimination Act (GINA) and other laws.
  12. Drug testing. Pros: Workplace safety; Cons: expense, tightly regulated in some states.
  13. Polygraphs. Cons: Restricted by federal law and many states.

Although new technologies may be up and coming, the Final Four of monitoring methods are probably email, video, audio, and physical searches, all of which have been around for quite a while.  Always review policies and applicable state and federal law before embarking on a monitoring program and remember to monitor the monitors!

 

The U.S. Court Appeals for the Eleventh Circuit has ruled that statutory damages under the Stored Communications Act (SCA) are not available in a case where the plaintiff did not incur any actual damages.

The case, Vista Marketing LLC v. Burkett, originated from an extremely contentious divorce proceeding.  While the majority of the  allegations in that proceeding might make for good television, they are not relevant here.  In short, Terri Burkett filed for divorce from her husband, Franklin, in February 2010.  During the divorce proceeding, the valuation of Vista Marketing became a primary issue.  Terri suspected her estranged husband was lying about the financial status of Vista.  To obtain information to prove her theory, Terri began regularly accessing the Vista web mail account to read Franklin’s emails from October 2011 until May 2012.  Sometimes Terri would review the emails before Franklin had opened them, but most of the time she did not read them until after they had been viewed by Franklin .  The emails Terri obtained were valuable evidence in the divorce proceeding and led to a significant valuation of Vista.

Less than a month after the final judgment of the divorce court, Vista sued Terri, alleging she violated the SCA when she access Vista’s web mail account and Franklin’s Vista email account during the divorce proceedings.  Following a three-day jury trial, the jury found Terri had violated he SCA when she accessed Franklin’s emails.  It further concluded Terri had committed 450 violated of the SCA.  But, the jury determined Vista had sustained no actual damages as a result of Terri’s actions and despite finding Terri’s conduct was “willful, wanton, or malicious,” it awarded no punitive damages to Vista.  The district court then conducted a hearing to determine whether it would award statutory damages to Vista.  Vista argued it was entitled to $450,00 in statutory damages ($1,000 for each violation of the SCA), while Terri contended no damages should be awarded as the jury found Vista had suffered no actual damages.  Ultimately, the district court, in an exercise of discretion, awarded Vista $50,000 in statutory damages.

In analyzing the case, the Circuit Court looked to the SCA’s damages provision which provides: “The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.”

Ultimately, the Circuit Court agreed with Terri that the SCA precluded the district court from awarding Franklin any money in statutory damages because the jury returned a verdict reflecting that Franklin incurred no actual damages as a result of the 450 violations, and statutory damages may be awarded only upon a finding of actual damages. The Circuit Court upheld the judgment but vacated the district court’s award of statutory damages to Franklin.

In reaching its conclusion, the Circuit Court relied on the U.S. Supreme Court’s decision in Doe v. Chao, which construed the phrase “person entitled to recovery” under the Privacy Act to require a finding of actual damages before statutory damages may be awarded.  The Circuit Court also examined the Wiretap Act, which like the SCA were both part of the Electronic Communications Privacy Act (ECPA), and found it would be “inconsistent, to say the least, if Congress treated violations of the SCA more severely than civil violations of the Wiretap Act.”

While the decision provides legal precedent in the Eleventh Circuit that SCA statutory damages are not available absent actual damages, district courts in other jurisdictions, including New York and Illinois, have reached the opposite conclusion.  In those districts, proof of actual damages is not required to seek statutory damages.  As courts throughout the country continue to struggle with analyzing claims under the SCA, it may ultimately fall on the Supreme Court to decide this issue.