Melissa Tyler brought suit against Michaels Stores for violation of Massachusetts General Laws, chapter 93, section 105(a) on behalf of herself and a putative class, claiming that Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation
of the section 105(a).  She alleged that the violation of section 105(a) amounted to a per se violation of the Massachusetts Consumer Protection law, chapter 93A, section 9, caused unjust enrichment, and entitled Tyler to declaratory relief pursuant.

Judge Young found that "a ZIP code can indeed be personal identification information under
Section 105(a)" but that no harm resulted (that Ms. Tyler's receipt of advertisements for the store was not sufficient to constitute harm):

In the area of identity fraud, a judge in this district has similarly held that where there were no instances of actual data loss or misappropriation, the failure to comply with minimum
statutory security standards did not cause cognizable injury because the added risk of identity fraud did not actually cause harm to the plaintiff. Katz v. Pershing, LLC, Civil Action No.
10–12227-RGS, 2011 WL 3678720, at *4 (D. Mass. Aug. 23, 2011) (Stearns, J)....[R]eceiving unwanted commercial advertising through the mail is simply not an injury cognizable under chapter 93A, since Section 105(a) was enacted to prevent fraud.

No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to,
a credit card holder’s address or telephone number. The provisions of this section shall apply to all credit card transactions; provided, however, that the provisions of this section shall not be construed to prevent a person, firm, partnership, corporation or other business entity
from requesting information that is necessary for shipping, delivery or installation of purchased
merchandise or services or for a warranty when such information is provided voluntarily by a credit card holder.

Mass. Gen. Laws ch. 93, § 105(a).

"From a legal perspective, I'm not seeing anything that's much different in what's being proposed to take effect on March 1 and what's in place right now," Zick says. "In particular, the language about sharing across services has been in [Google's policies] for a long time."

Zick points out that all the past versions of Google's privacy policies are on the website, and the last two versions offer line-by-line comparisons to the previous version. Zick expects that Google will do the same with the new policy once it's officially issued.

"What we have is not a reaction to a change in legal language," Zick says, "but it's a change in perception. ... People are just reflexively reacting to the idea that Google is big."

The entire article can be viewed here, and our earlier post here.

These changes are likely to draw FTC scrutiny, especially in light of the recent decision by Google to incorporate data from its social network, Google+, into search results, which has already resulted in a FTC antitrust investigation. 

The individual worked as an information technology specialist for a perinatal medical practice in Atlanta.  He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building.  He then used his home computer to hack into his former employer's patient database.  He downloaded the names, telephone numbers, and addresses of his former employer's patients and then deleted all the patient information from their system. He subsequently used the patient names and contact information to launch a direct-mail marketing campaign for the benefit of his new employer.  Even so, there was no evidence that patient medical information was accessed or misused.

McNEAL was sentenced to 1 year, 1 month in prison to be followed by 3 years of supervised release, and ordered to perform 120 hours of community service. McNEAL pleaded guilty to the charge on September 28, 2011.

Justice Scalia wrote the opinion, for a unanimous court, and concluded:  "We hold that the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a 'search.'  It is important to be clear about what occurred in this case: The Government physically occupied private property for the purpose of obtaining information."

This statement about the government occupying private property is going to be used in many future arguments.  Justice Sotomayor's concurrence foresees this future:

With increasing regularity, the Government will be capable of duplicating the monitoring undertaken in this case by enlisting factory- or owner-installed vehicle tracking devices or GPS-enabled smartphones. See United States v. Pineda-Moreno, 617 F. 3d 1120, 1125 (CA9 2010) (Kozinski, C. J., dissenting from denial of rehearing enbanc). In cases of electronic or other novel modes of surveillance that do not depend upon a physical invasion on property, the majority opinion’s trespassory test may provide little guidance. 

Between January 1, 2010 and December 31, 2010, breaches involving 500 or more individuals also made up less than one percent of reports, yet accounted for more than 99 percent of the more than 5.4 million individuals who were affected by a breach of their protected health information. The largest breaches in 2010, like 2009, occurred as a result of theft. However, in comparison to 2009, in 2010, the number of individuals affected by the loss of electronic media or paper records containing protected health information was greater than the number of individuals affected by unauthorized access or human error.

Security Awareness Training
The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who manage, use, or operate Federal computer systems. Additionally, Federal regulations (5 C.F.R. § 930.301(a)) require that role-specific training be provided based on each user’s security responsibilities and require agencies to provide training for employees with significant information security responsibilities. The CMS Business Partners Systems Security Manual requires Medicare contractors to document and monitor information security training activities.

Sixteen of the twenty-one Medicare contractors had no identified gaps in security awareness training, while the remaining 5 had 3 to 4 gaps each. In total, 16 gaps were identified in this area, with no gaps assigned to a high-impact subcategory. Following are examples of gaps in security awareness training:

• The contractor did not formally track and monitor job-specific security training to ensure that employees received the minimal requirements stated in the policy.
• Employees did not complete security awareness refresher training.

Employees who are unaware of their security responsibilities or have not received adequate training may be at increased risk of causing or exacerbating a computer security incident. If security personnel are not provided specific job-related training, management has no assurance that these employees can effectively perform their job responsibilities. Inadequately trained employees could cause the loss, destruction, or misuse of sensitive information and information technology (IT) assets.

The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.

On January 4, 2012 the SEC’s Office of Compliance Inspections and Examinations issued an exam alert to registered investment advisers which included guidance on the use of social media. The alert is not meant to be a comprehensive summary of all compliance matters related to the use of social media, but rather is intended to cover measures that may assist advisers in developing procedures to prevent violations of the Advisers Act and other federal securities law with respect to the use of social media such as the antifraud, compliance and record keeping provisions.

The alert warns that particular attention should be paid to potential federal securities law violations stemming from third-party content posted on a firm’s social media site. Specifically, firms should be careful to prevent “testimonials” from being posted on a site. The staff advises that, depending on the facts and circumstances, certain functions on a social media site such as a “like” button could be considered a testimonial under the Advisers Act. If such function cannot be disabled, investment advisers should consider monitoring and removing third-party postings if necessary. A firm should also consider the extent to which a third-party should be allowed to post on the firm’s social media site. For example, some firms restrict postings to authorized users, others only allow the firms’ employees to post on the site and others have no restrictions on posting. Regardless of the extent to which third-party posts are allowed, a firm should consider having policies and procedures concerning third-party posts. A firm should also consider disclaimers on their social media site stating that it does not approve or endorse any third-party communications.

Record Keeping Responsibilities

The record keeping obligations for communications that relate to the advisers’ recommendations or advice under the Advisers Act do not distinguish between various forms of media used by advisers. In the alert, the staff states that “investment advisers that communicate through social media must retain records of those communications if they contain information that satisfies an investment adviser’s recordkeeping obligations under the Advisers Act.” A firm should review any document retention policies to ensure that communications generated by social media communications are covered by the policy and will be retained in compliance with the federal securities laws.  

Compliance Programs

Rather than possibly having multiple overlapping policies and procedures covering advertisements, client communications and electronic communications that may each address in part the different risks associated with the use of social media, the alert suggests developing a separate and distinct policy for the use of social media. The staff suggests considering the following factors when crafting a social media policy:

Usage Guidelines. Consider creating guidelines that provide investment adviser representatives and solicitors with guidance on the appropriate and inappropriate use of social media. This might include a list of approved social media sites and permitted or restricted activities on those sites.

Content Standards. Consider whether content contains investment recommendations, information on specific investment services or investment performance and whether such content implicates any fiduciary duties or other regulatory issues.

Monitoring and Frequency of Monitoring. Consider procedures for monitoring the firm’s social media sites or use of third-party sites. The alert notes that a firm should consider the volume and pace of communications posted on a social media site to determine whether periodic, daily or real-time monitoring of posts is appropriate. The alert also states that “[t]he after-the fact review of violative content days after it was posted on a firm’s social networking site, depending on the circumstances, may not be reasonable, particularly where social media content can be rapidly and broadly disseminated to investors and the markets.”

Approval of Content. Consider a requirement to have content pre-approved.

Firm Resources. Consider whether the firm has sufficient resources to adequately monitor the use of social media and whether the use of outside vendors is necessary.

Criteria for Approving Participation. Before approving the use of a social networking site, consider the reputation of the site, the site’s privacy policy, the ability to remove third-party posts, controls on anonymous posting and the site’s advertising practice.

Training and Certification. Consider implementing training related to the use of social media to prevent potential violations of federal securities laws and internal policies. A firm may also consider a requirement for employees to certify that they understand and are complying with the social media policies and procedures.

Functionality. Consider upgrades or modifications to the site that may affect any risk exposure for the firm or its clients. If the site includes a functionality that exposes the firm or its clients to violations of federal securities laws and/or privacy risks, and if that functionality cannot be disabled, consider whether use of such site is appropriate.

Personal/Professional Sites. Consider adopting policies and procedures to address how investment adviser representatives or solicitors use personal or third-party social media sites to prevent firm business from being conducted on such site.

Information Security. Consider whether allowing access to social media sites poses any information security risks. Firms should consider policies and procedures to create a firewall between sensitive customer information as well as the firm’s proprietary information and any social media sites.

Enterprise Wide Sites. Consider creating usage guidelines to prevent violations of the Advisers Act with respect to the advertising practices of a firm wide social media site if an investment adviser is part of a larger enterprise.

Advisers should expect that the SEC will be inquiring about the firm’s use of social media, and the firm’s policies and procedures on the same, in exams. The Commonwealth of Massachusetts has also expressed interest in adopting regulations on the use of social media by investment advisers and issued a report on the same (see Foley Adviser of July 15, 2011 on the Massachusetts report).

                                                                     *  *  *

No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall -- in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud. 

General areas of concern surrounding the cloud are similar to those of traditional IT:

• Data security during transmission and storage;
• Data privacy and confidentiality;
• Rights of access in general as well as access for local governments and e-discovery;
• Data ownership;
• Suspension and termination of service;
• Forming and negotiating service-level agreements (SLAs) with cloud providers.
   

Los Angeles city officials were able to negotiate their contract for Google applications in the cloud. But if you’re not the second biggest city in the U.S., you may not be as lucky.

If you’re new to cloud storage, consider prioritizing data storage. Many companies kick off a move into the cloud by migrating non-core data first. This allows them to trial the service and determine if it was cost effective without risking core business functions.

For example, a law firm that is new to cloud computing might decide to place back-office information in the cloud -- payroll, employee benefits -- before moving privileged and confidential client information outside the standard network firewall.

Cloud SLAs and a la carte options
Assuming you have a proposed SLA with a potential cloud vendor that is negotiable and you are ready to place some data in the cloud, there are some additional services you may want to look into before signing on the dotted line:

Request that sensitive data reside in a private cloud. This is a slight misnomer since the purpose of cloud computing is to achieve economies of scale by sharing facilities; however, there may be scenarios in which having a dedicated cloud infrastructure makes sense.

Seek special data encryption. If you have particularly sensitive information, you may want the cloud vendor to provide extra protections. For example, while there seems to be growing understanding that cloud providers are not business associates under HIPAA, this isn’t universally known. You might want the cloud provider to agree to adhere to HIPAA standards, even if they’re not required by law to do so.

Geographic restrictions on where your data is stored. For legal or client-relation purposes, you may not want data stored overseas where law enforcement is not as rigorous or the laws are uncertain.

Unique service levels. If your enterprise has special requirements for data access or use, don’t be afraid to ask the cloud vendor for special service.

Special penalties for violation of agreement terms. If it is it important to you or your customers that there be especially high penalties for violating data privacy, ask for them.

Provisions that would deal with a change in ownership over your cloud provider. The cloud computing market is changing rapidly. You may want to build in a change-in-ownership or non-assignment clause into your SLA. In such a provision, you might also make clear that the cloud provider will never own the data that they hold for you, even if you decide to change providers.

Provision for business continuity in the event of a disaster.You need to know specifically what will happen to your data in the event of an earthquake, tsunami or other natural disaster.

In addition to these terms, you may want to add traditional IT outsourcing contract terms that you’ve grown accustomed to regarding e-discovery functionality and indemnification from breaches, such as the ability to:

• search based on defined criteria -- content, sender and/or recipient, date range and metadata;
• store search results with any metadata;
• add and delete from search results to create an e-discovery set.

• 2002:  20,254 updates
• 2003:  19,159 updates
• 2004:  74,981 updates
• 2005:  113,081 updates
• 2006:  167,069 updates
• 2007:  708,742 updates
• 2008:  1,691,323 updates
• 2009:  2,895,802 updates
• 2010:  10,000,000 updates

• 2002:  20,254 updates
• 2003:  19,159 updates
• 2004:  74,981 updates
• 2005:  113,081 updates
• 2006:  167,069 updates
• 2007:  708,742 updates
• 2008:  1,691,323 updates
• 2009:  2,895,802 updates
• 2010:  10,000,000 updates

The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee's car was broken into and a company laptop stolen.  The ramifications included:

• spending nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees;
• devoting 600 person-hours of staff time to the breach;
• hiring a crisis team of lawyers and customers and a chief security officer;
• hiring a private investigator to scour local pawnshops and Craigslist for the stolen laptop; and
• notifying some of the affected patients and offering them free credit monitoring.

The eHealth Collaborative's Executive Director, Micky Tripathi, first outlined the breach and critiques the article in his blog. 
 

At most restaurants, when the time comes to pay the check, you hand over your credit card and a waiter you’ve known for only about an hour takes off with your credit card. You trust that the waiter will only charge your meal and won’t make off with your card number.  But if you ever have been to a Legal Sea Foods restaurant, you will notice that the waiter brings a handheld electronic device to your table to swipe your credit card when you are ready to pay the bill. The credit card never leaves the customer’s sight.

The recent experiences of customers at certain high-end steakhouses show why all restaurants should consider adopting the table-side charge method.  Seven waiters at Smith & Wollensky’s, the Capital Grille, and other high-end restaurants were arrested along with many other co-conspirators, for copying the credit card numbers of restaurant customers with handheld, high-tech “skimmers” and then using those numbers to buy luxury goods that they resold. The waiters targeted credit cards with high or no spending limits so that big purchases would not be flagged. 

The Payment Card Industry Data Security Standard (PCI-DSS) quick reference guide for merchants does not provide any clear guidelines for card handling.  Nevertheless, this incident should serve as a wakeup call for all restaurants to adopt table-side systems to reduce the potention for misuse of customer credit cards.  It also serves as a reminder to anyone dealing with sensitive information to continually review handling procedures and processes and look for ways transmissions can be made more secure.

In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:

• set forth the specific privacy controls that [Facebook] has implemented and maintained during the reporting period;
   
• explain how such privacy controls are appropriate to [Facebook's] size and complexity, the nature and scope of [Facebook's] activities, and the sensitivity of the covered information;
   
• explain how the privacy controls that have been implemented meet or exceed the protections required by Part IV of this order; and
   
• certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting period.

This consent order will last for an astoundingly long time:  20 years.  (Query whether this agreement's terms and length will become the standard for future FTC privacy settlements.) 

Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company's privacy officer role:  Erin Egan will become Facebook's Chief Privacy Officer, Policy, and Michael Richter, currently Facebook's Chief Privacy Counsel, will become Facebook's Chief Privacy Officer, Products.