T2P Prosecution & Litigation News

Justice Roberts: "This Isn't Personal, and Neither Are Your Corporate Records"

2011-03-02T03:37:12Z

In a unanimous decision on March 1, 2011, the Supreme Court held in Federal Communications Commission v. AT&T Inc. that corporations do not have personal privacy rights under the Freedom of Information Act (FOIA), reversing a 2009 Third Circuit decision (which we blogged about here).

The case arose because AT&T sought to block the disclosure of documents under the FOIA that it disclosed to the Federal Communications Commission (FCC) during a 2004 investigation relating to AT&T’s alleged overbilling of public schools under a program created to enhance telecommunications and information services access for public schools and libraries. Comptel, a trade association that represented some of AT&T’s competitors, submitted an FOIA request to access these documents. The FCC complied with the request, but removed information that was considered “trade secrets and commercial or financial information” (5 U.S.C. § 552(b)(4)) and information that “could be expected to constitute an unwarranted invasion of personal privacy.” (5 U.S.C. § 552(b)(7)(C), “Exemption 7(C)”). However, the FCC did not remove information that was sensitive to AT&T.

AT&T argued that no information should be disclosed under FOIA because the word personal as used under Exemption 7(C) applies to corporations. AT&T argued that the definition of the word person includes legal entities, and therefore the definition of personal privacy should as well. The Court rejected this proposition, deferring to the ordinary meaning of the word personal and holding that the word referred only to individuals. The Court also indicated that when used together, the words personal privacy “suggests a type of privacy evocative of human concerns- not the sort associated with an entity like, say, AT&T.” To lend further support to its decision, the Court also studied the rest of the statute and concluded that the existence of other exemptions available to entities under FOIA limited the scope of Exemption 7(C).

Fittingly, Justice Roberts, who penned the opinion, closed with his hope that AT&T would not take the decision personally.

FTC Accepts Final Settlement with Twitter

2011-03-14T19:25:47Z

On March 11, 2011, the Federal Trade Commission finalized a proposed settlement with Twitter, which resolved allegations that Twitter deceived consumers and failed to safeguard their personal information. The FTC first announced the proposed settlement in June 2010. Specifically, the FTC claimed that Twitter, contrary to its privacy policy statements, did not provide reasonable and appropriate security to prevent unauthorized access to consumers’ personal information and did not honor the consumers’ privacy choices in designating certain tweets as nonpublic. Intruders exploited these failures and obtained administrative control of the Twitter system. These intruders were able to gain unauthorized access to nonpublic tweets and user information, reset any user’s password, and send unauthorized tweets from any user account.

Under the terms of the settlement, Twitter must implement a comprehensive information security program that is reasonably designed to protect the privacy and security of nonpublic consumer information, and it is prohibited from misrepresenting the extent to which it protects such information. An independent auditor must conduct biennial assessments for 10 years to determine whether Twitter’s information security program adequately protects consumer information as required by the settlement. Twitter is further required to make available to the FTC any privacy policy statements, consumer complaints, subpoenas and other documents that relate to Twitter’s activities in the FTC complaint or Twitter’s compliance in the settlement. Finally, Twitter must file a report describing its compliance with the settlement and alert the FTC to any change in the corporation that may affect its compliance obligations. Any violation of the FTC order, which is in effect for 20 years, may result in a civil penalty of up to $16,000. The order is in effect for 20 years.

Law Suit Filed: Google Faces Class Action over Gmail Scanning

2011-03-16T21:00:21Z

Google Faces Class Action over Gmail Scanning

Infosys job ad automatically rejected older workers, claims lawsuit

2011-03-17T20:48:00Z

A New Jersey man filed a lawsuit charging that outsourcer Infosys listed job ads on Monster.com that automatically discrimated against older workers.

Lawsuit alleges cloak-and-dagger conspiracy by Software AG

2011-03-25T19:36:00Z

Middleware giant Software AG conducted an elaborate corporate espionage scheme replete with "sex, lies and an audiotape," according to allegations in a lawsuit filed by RFID vendor GlobeRanger.

Customer sues Infor after ERP license audit

2011-03-07T18:07:00Z

A New York manufacturer is suing ERP (enterprise resource planning) vendor Infor following a dispute over whether it should have to pay nearly $150,000 in additional license fees.

Former Goldman Sachs coder gets 8-year sentence

2011-03-21T20:12:00Z

A former Goldman Sachs computer programmer has received a stiff prison sentence for stealing source code used in the company's high-frequency trading system.

ID Thief Sentenced to More Than 16 Years in Prison

2011-03-25T04:00:00Z

A Delaware man is sentenced to more than 16 years in prison on ID theft-related charges.

Evolution of Privacy Breach Litigation?

2010-12-13T18:53:54Z

Sasha Romanosky writes:

In addition to empirical work on data breaches and breach disclosure laws, I’ve also become very interested in data breach litigation. While plaintiffs have seen very little success with legal actions brought against companies that suffer data breaches, I still believe there is some very interesting empirical work that can be done regarding these lawsuits.

In a recent post, Daniel Solove cited a paper by Andrew Serwin (found here) who described in great detail the legal theories and statutes that plaintiffs use when bringing legal actions against companies that suffer data breaches. It isn’t my purpose to repeat that work, but rather to identify an interesting pattern that appears to have emerged over the past 5 to 10 years of privacy breach litigation. Special thanks to Paul Bond of Reed Smith LLP who first brought this to my attention.

Illinois Woman Pleads Guilty to Illegally Accessing Confidential Student Loan Files

2010-12-14T23:18:15Z

Another snooping case:

An Illinois woman pleaded guilty today to illegally accessing numerous confidential student loan files, Assistant Attorney General Lanny A. Breuer of the Criminal Division announced. Charlotte M. Robinson, 46, of Dolton, Ill., pleaded guilty before U.S. Magistrate Judge Susan E. Cox in the Northern District of Illinois to a one-count criminal information charging her with unauthorized computer access. Robinson is scheduled to be sentenced on Feb. 22, 2011.

According to court documents, Robinson worked as a full-time employee in the Federal Student Aid (FSA) Division of the Department of Education, where her responsibilities included reviewing and processing student loan complaints within the FSA Office of the Ombudsman. In pleading guilty, Robinson admitted that she had access to the National Student Loan Database System (NSLDS), which contained confidential federal student loan records maintained by the Department of Education. These student loan records included, among other information, the borrower’s full name, date of birth, Social Security number, type of federal loan, loan balances, place of enrollment and loan servicer. Confidential records maintained in NSLDS are protected by the Privacy Act of 1974, and access by Department of Education employees is strictly limited to official government duties.

Robinson admitted that between April 2006 and May 2009, she logged into NSLDS, which became fully automated in approximately 2006, and repeatedly searched for and viewed the confidential student loan records of several hundred people, including musicians, actors, family members, friends and other individuals. Robinson admitted that she had no official government reason to access and to view these student loan records applications, and that her sole purpose in accessing and viewing these records was idle curiosity.

This case is being prosecuted by Trial Attorney Eric G. Olshan of the Criminal Division’s Public Integrity Section. This case was investigated by the Department of Education Office of Inspector General.

Source: U.S. DOJ

Wake Up Call for UK Data Controllers: ICO Issues its First Fines for Data Breaches

2010-11-25T10:55:30Z

In the first use of his powers to impose monetary penalties, the UK Information Commissioner has announced fines for two organizations with respect to serious breaches of the UK Data Protection Act.

Hertfordshire County Council must pay a fine of £100,000 after staff accidentally faxed highly sensitive information to the wrong recipients, on two separate occasions.
A4e Limited, an employment services company, must pay £60,000 following the theft of an unencrypted laptop from an employee’s home, putting the data of 24,000 people at risk.

Christopher Graham, the UK Information Commissioner, said in a statement today:

“It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks. The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data.”

The breaches that are the subject of the first fines reflect the very ordinary circumstances of the majority of data breaches. Sending a fax or email to the wrong recipient is a common mistake. In Hertfordshire’s case, however, the faxes contained information concerning a child sexual abuse case on the first occasion, and a domestic violence case on the second. A careless mistake – made twice in two weeks – compromised extremely sensitive personal information. The theft of an unencrypted laptop, which resulted in a fine of £60,000 for A4e, is again an all too common occurrence. There is no excuse for failing to encrypt laptops, but this mistake also highlights the risks to organizations that fail to make adequate provision for employees who work remotely. The A4e employee in question downloaded personal data relating to 24,000 people to her company-issued laptop so that she could work remotely. A4e had undertaken a risk assessment and was aware of the need to encrypt its laptops, but had not completed the work.

In the UK, not all breaches trigger a fine. A fine may be imposed only where (1) the violation, by its nature, is likely to cause substantial damage or distress, and (2) the violation was deliberate, or the controller was recklessly indifferent with regard to whether the violation would occur and took no steps to prevent it.

In determining the appropriate fine amount, the Information Commissioner must take into account the nature and effect of the violation, behavioral issues (in the Hertfordshire case this included the fact that the council failed adequately to address the risk following the first incident), and the impact of the fine on the controller (i.e., the controller’s ability to pay).

Although the UK Information Commissioner’s power to impose fines extends to all data controllers, whether in the public, private or third sectors, it is somewhat surprising that a public sector entity has been fined. Hertfordshire County Council’s breaches were serious, but it may anger some to realize that, in a time of public sector cutbacks, local council taxes will be spent to pay the fine.

The penalties will be paid into the Consolidated Fund, and will not be retained by the Information Commissioner’s Office. The Commissioner has offered a 20% discount for early payment. Hertfordshire County Council and A4e have the right to appeal the fines.

The monetary penalty notices are available on the Information Commissioner’s website. View the Hertfordshire notice and the A4e notice.

Privacy Violations Result in 8 Fines

2010-12-15T08:31:32Z

Hospitals Get Sanctions Under Tough California Laws
The California Department of Public Health has fined seven hospitals a total of more than $790,000 for eight breach incidents.

Ex-CIO Dale Frantz led a double life

2010-12-14T18:40:00Z

Dale Frantz, the onetime CIO of Auto Warehousing Co., was a rising star at the company who earned $250,000 -- and the respect of his peers. He was also a thief.

Web designer claims 84% ownership of Facebook

2010-07-13T18:08:00Z

A lawsuit filed against Facebook Inc. is raising the question of whether Mark Zuckerberg is the owner of the phenomenally popular social networking site.

Legal action on 'zombie cookies' - BBC News

2010-07-29T11:04:17Z

Tech Eye

Legal action on 'zombie cookies'
BBC News
"We have a strong history of leadership on privacy and are reviewing this matter carefully," the statement read. The term "zombie cookie" was coined after ...
Media Giants Sued over PrivacyeSecurity Planet
Media Companies, Quantcast Face Privacy Lawsuit About Flash CookiesMediaPost Publications (blog)
Zombie cookies: What zombie cookies are and how to delete themHelium
Mail & Guardian Online -wwwery (blog) -ZDNet UK
all 14 news articles »

Facebook Sued Again For Privacy Violations

2010-06-04T00:40:29Z

Feel like you need a scorecard to keep the lawsuits straight? You’re not alone.

Wendy Davis reports:

Facebook has been hit with a second potential class-action lawsuit alleging that the company violated users’ privacy by providing marketers with the names of users who clicked on ads.

This lawsuit, filed late last week on behalf of Marin County, Calif. resident Mike Robertson, alleges that Facebook “intentionally and knowingly transmitted personal user information to third party advertisers without member consent.” Robertson’s complaint, filed in federal district court in San Jose, joins a similar case also filed on Friday by South Lake Tahoe resident David Gould.

Heartland Payment Systems Enters into its Third Settlement Agreement Arising from 2008 Data Breach

2010-05-24T15:15:40Z

Nearly two years after Heartland Payment Systems, Inc. (“Heartland”) experienced one of the largest customer data security breaches in history, it entered into its third settlement agreement with a card company. (In addition to its settlements with card companies, on April 30, 2010 Heartland received preliminary approval for a consumer class-action settlement that could cost it up to $2.4 million.) Having already entered into settlement agreements with Visa for up to $60 million and American Express for up to $3.6 million, Heartland announced on May 19, 2010 that it entered into a settlement agreement with MasterCard that could result in as much as $41.1 million being paid to eligible MasterCard card issuers for losses resulting from the breach.

According to the terms of the settlement, MasterCard issuers that filed timely claims for accounts that were affected by the breach will be eligible to receive a specified dollar amount at some point during the third quarter of 2010, provided that MasterCard issuing financial institutions that represent at least 80% of the claimed-upon accounts accept the settlement agreement by June 25, 2010. In addition, the claimed-upon accounts must waive rights to any other recovery from Heartland arising from the breach.

With the dust from the breach beginning to settle, the financial damage to Heartland is becoming evident. Should the MasterCard settlement be approved, Heartland could, in total, be on the hook for well over $100 million in breach-related settlement payments.

Goldman Sachs Sued For Illegal Database Access

2010-05-11T20:58:00Z

'Rogue' Goldman employees allegedly used misappropriated credentials to grab intellectual property from market intelligence service's database

Heartland, MasterCard Settle

2010-05-31T19:56:39Z

Issuers Face June 25 Deadline to Accept $41.4 Million Offer
MasterCard and Heartland Payment Systems have settled on a $41.4 million payment to recover losses from the processor's card data breach.

Witnesses say information security at VA still weak - The Hill (blog)

2010-05-19T16:05:16Z

Witnesses say information security at VA still weak
The Hill (blog)
"I recognize that we are far from perfect and have a long way to go to achieve our information protection goals," Baker said. Wilshusen said many of the ...
VA ramps up enforcement of contractor data securityGovernment Health IT
VA data breaches involve records of more than 3800 vetsFederal Times
VA: We Moved Fast on BreachHealth Data Management
FCW.com
all 12 news articles »