Last week, a plaintiff's putative class action alleging a violation of California's Shine the Light law, Cal. Civ. Code § 1798.83, was dismissed without prejudice. See Boorstein v. Men's Journal LLC, No. 12-cv-00771-DSF-E, 2012 WL 2152815 (C.D. Cal. June 14, 2012). The suit, one of several other similar pending suits, is the first reported decision applying the Shine the Light Law.
The U.S. District Court for the Southern District of California recently granted class certification in a Song-Beverly Credit Card Act case, refusing to exclude from the class individuals who joined the retailer's rewards program months after the alleged Song-Beverly violation. See Yeoman v. IKEA U.S. West, Inc., No. 11CV701, 2012 WL 1598051 (S.D. Cal. May 4, 2012). The Court's discussion suggests that a retailer may also face Song-Beverly liability even if it requests personal information at the register that it already holds by virtue of the customer's membership in its rewards program.
In what may be a sign of an evolving judicial atmosphere and approach concerning data breach lawsuits, a Federal judge in the Northern District of California District Court recently refused to dismiss various causes of action related to a data breach involving RockYou. In particular, the Court explored the issue of whether the plaintiff sufficiently alleged "harm" arising out of the data breach. This blog post takes a look the highlights of the Court's decision.
The California Supreme Court ruled Thursday, in Pineda v. Williams-Sonoma, that zip codes are "personal identification information" for purposes of California's Song-Beverly Credit Card Act, California Civil Code section 1747.08. Really.
2010. What a year for data security and privacy, and the law. Choose whatever story you want: Facebook privacy practices, Google Buzz, Wikileaks data breach , TSA full body scanning at the airports, FTC Do Not Track, etc. I am having trouble thinking of a week (perhaps even a day) in 2010 where there wasn't a big privacy or data security story reported at a major media outlet. It is difficult to come up with an issue in 2010 (except perhaps "the economy" or the healthcare debate) that became more firmly lodged in the public consciousness than privacy and data security.While we were all thinking about Halloween and Thanksgiving, and trying to avoid the crush of Hanukah, Christmas and New Years, several privacy lawsuits were filed against online behavioral tracking companies and some of their clients. In my view these lawsuits and the activity that arises out of them (regulatory and otherwise) will be one of the big data security and privacy stories of 2011. What follows is a very brief listing of some the key lawsuits from 2010 that InfoLawGroup is aware of and tracking. There may be more that are not on the list (such is pace of change in this space) and if you know of others, please send them to me so I can list them here to serve as a resource for the larger privacy community. Over the course of 2011 (and beyond) InfoLawGroup will be taking a deeper look at these cases and providing updates as they progress through motion practice, trial and settlement.
It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data.
Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations.
What does workplace privacy have to do with the cloud? Everything. On Tuesday, the New Jersey Supreme Court issued its opinion in Stengart v. LovingCare Agency, Inc., --- A.2d ----, 2010 WL 1189458 (N.J. March 30, 2010), and came out on the side of protecting employee privacy and the attorney-client privilege in personal Yahoo! webmail (a cloud service) even though the employee used a company computer. While everyone has been busy writing about the implications of LovingCare for company policies governing employee expectations of privacy (and for good reason), few have stopped to note that LovingCare is a cloud case. LovingCare is one of only a few published opinions addressing the difficult issues surrounding employee use of webmail and other cloud services on company computers where the attorney-client privilege is at stake, and the impact of the LovingCare decision will undoubtedly be felt for years to come by nearly every employer across the country, both in crafting policies for employee use of company computer systems and in conducting discovery in nearly every employment-related litigation. The machine may be the employer's, but, in the post-LovingCare world, the data may be the employee's - at least where the cloud and the attorney-client privilege are involved. You can read my detailed case analysis in this post.
On Friday, the California Court of Appeal, Fourth Appellate District, certified for publication its October 8 opinion in Pineda v. Williams-Sonoma, the most recent in a string of decisions regarding California's Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08. On first glance, Pineda appears uneventful. The Court merely reiterated its December 2008 holding in Party City v. Superior Court, 169 Cal.App.4th 497 (2008), that zip codes are not personal identification information for purposes of the Act, right? Not so fast. In fact, the Pineda court added a couple of new wrinkles that are worth a second look. First, the court reaffirmed its Party City holding even though Pineda specifically alleged that Williams-Sonoma collected the zip code for the purpose of using it and the customer's name to obtain even MORE personal identification information, the customer's address, through the use of a "reverse search" database. Second, the court held that a retailer's use of a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of a consumer's privacy under California law.
This week the federal court in the Hannaford class action asked the highest court in Maine to clarify whether cardholders' "loss of time and effort" are sufficient injuries to ground a negligence claim following a payment card security breach.