Sorry for interrupting, but there is something we need to tell you...

We have updated our Cookie Policy to reflect changes in the law on cookies used on websites in Europe. This website uses cookies to maximize your experience and help us to understand how we can improve it. To find out more click here.

Cookies are text files containing small amounts of data which are downloaded to your computer, or other device, when you visit a website. Cookies allow us to recognize your computer and improve your experience on our website. Some cookies are also necessary for the technical operation of our website. Please read our Cookie Policy which provides important information about the cookies we use, how we use them and how they can be deleted. Please remember that deleting cookies may affect your experience of our website.

Show less.

Accept and hide this message
Pillsbury Pillsbury Pillsbury

Privacy, Data Security & Information Use

Client Alert
FTC Expands Focus on Tracking and Use of Consumers’ Location Data
In-store monitoring of shoppers’ mobile devices under scrutiny.
Authors: Roxane A. Polidora, Catherine D. Meyer, Lindsay A. Lutz, Kristen E. Baker

Over the past few years, the Federal Trade Commission (“FTC”) has provided guidance regarding mobile platforms and app providers’ practices of collecting data about consumers’ locations through their mobile devices, with a focus on transparency and notice to consumers. The FTC recently hosted a spring seminar on emerging consumer privacy issues that focused on a new type of mobile device tracking: brick-and-mortar businesses tracking consumer movements in or around their premises using signals from the consumer’s mobile device.

Client Alert
Class Certification Properly Denied Where Individual Questions Predominated Under California’s Telephone Recording Statutes
Authors: Brian D. Martin, Roxane A. Polidora, Richard M. Segal, Andrew D. Bluth

The California Court of Appeal unanimously affirmed a trial court ruling denying class certification in a lawsuit filed under California’s Invasion of Privacy Act. The Court held that the determination of whether each potential class member had a reasonable expectation that his or her phone conversations would not be recorded would require too many individual fact inquiries to be treated on a class basis.

Bylined Article
Remain Vigilant: Managing Cybersecurity Risks in Third-Party Outsourcing Relationships
Source: Corporate Compliance Insights
Authors: Meighan E. O'Reardon, Aaron M. Oser

This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insights.

Bylined Article
February 2014
Personal Data Transfers from the European Economic Area: Binding Corporate Rules Emerge as Increasingly Attractive Option
Source: World Data Protection Report (Bloomberg BNA)
Authors: Rafi Azim-Khan, Steven P. Farmer

This article was originally published in the February 2014, Volume 14, Number 3 issue of Bloomberg BNA's World Data Protection Report.

National Cybersecurity Framework Released – Has Your Organization Considered the Implications?
Authors: Catherine D. Meyer, Meighan E. O'Reardon, Deborah S. Thoren-Peden, Amy L. Pierce

On February 12, 2014, the National Institute of Standards and Technology (“NIST”) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework” or “Framework”) and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap”). The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.

Bylined Article
November 2013
U.K. Court of Appeal’s Award of Compensation for Distress to an Individual Following a Breach of the Data Protection Act: Opening the Floodgates for Claims by Individuals?
Source: World Data Protection Report
Authors: Steven P. Farmer

This article was published in World Data Protection Report, November 2013, published by Bloomberg BNA (

Client Alert
California Internet Privacy Bill Signed by Governor, Effective Jan. 1
Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Amy L. Pierce, Elsa S. Broeker

On Friday, September 27, 2013, California Governor Edmund G. Brown signed Assembly Bill 370, a bill that amends the Business & Professions Code § 22575 to require an operator of a commercial Internet website or online service that collects personally identifiable information about consumers residing in California who use or visit its website or service to disclose how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of PII about the consumer’s online activities, and to disclose whether others may collect PII when a consumer uses the operator’s website or online service.

Bylined Article
Help Clients Insure Against Cyberattacks
Source: Texas Lawyer
Authors: Vincent E. Morgan

This article was originally published in the July 22, 2013 issue of Texas Lawyer.

Bylined Article
June 2013
Mobile Privacy Practices: Recent California Developments Indicate What's to Come
Source: Computer Law Review International
Authors: James Chang, James G. Gatto, Meighan E. O'Reardon

This article was originally published in the June 2013 issue of Computer Law Review International (CRi).

Bylined Article
April 2013
Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0
Source: World Data Protection Report
Authors: Rafi Azim-Khan, Steven P. Farmer

What exactly is the ‘"best" solution for an international business needing to handle and transfer personal data across borders?

Protecting Personal Data in China
Authors: Woon-Wah Siu, Julian Zou

This advisory is one of a series prepared by Pillsbury's China Practice on questions frequently asked by our clients doing business in China. In June 2012, we published an advisory on personal data protection in China in which we also suggested some best practices. Here, we are updating that advisory to reflect new regulations adopted in the past six months.

Client Alert
Omnibus Final Rule Issued on HIPAA/ HITECH Act: Significant Changes for ‘Business Associates’
Authors: Gerry Hinkley, Allen Briskin, Caitlin B. Bloom

On January 25, 2013, the Department of Health and Human Services published the much-anticipated Omnibus Final Rule (the “Final Rule”), which, with respect to business associates and their subcontractors, conforms HIPAA’s Privacy and Security Rules to a number of changes brought about by the HITECH Act, implements a number of regulatory changes seen in HHS’s proposed rule-making, and modifies a number of other proposed regulatory changes.

Client Alert
New Binding Corporate Rules Now Available for Data Processors
Authors: Steven P. Farmer, Simon J. Lightman, Meighan E. O'Reardon
In a further push towards “privacy by design,” the Article 29 Working Party, which is made up of representatives from the various EU data protection authorities, has recently approved the use of Binding Corporate Rules (“BCRs”) for international transfers of personal data by data processors effective as of January 1, 2013.

Bylined Article
January 2013
European Parliament Rapporteur Albrecht Proposes Key Amendments to the Commission’s Draft Data Protection Regulation
Source: Bloomberg BNA
Authors: Steven P. Farmer

In December 2012, Jan Philipp Albrecht, a Rapporteur for the European Parliament, released a draft report (the ‘‘Report’’) on the European Commission’s proposed EU Data Protection Regulation (the ‘‘Draft Regulation’’), which is intended to replace the existing legislative framework that has been in place in the European Union since 1995 (see analysis at WDPR, February 2012, page 4).

Bylined Article
October 2012
A "Perfect Storm" of Data Law Changes; Are You Ready for a 2% of Global Turnover Fine?
Authors: Rafi Azim-Khan

Recent months and the EU January announcement have seen very major data protection law changes that affect not just UK or EU companies but any companies (particularly US) which are deemed to be caught by “processing” EU data.

Client Alert
Drawing the Line Online: Employers’ Rights to Employees’ Social Media Accounts
Authors: James G. Gatto, Julia E. Judish, Thomas N. Makris, Amy L. Pierce
With the unprecedented popularity of social media, employees have increasingly used LinkedIn and other online forums to network for business and social purposes. When the line between personal and business use is blurred, litigation may ensue. A federal court recently ruled that an employer did not violate federal computer hacking laws by accessing and altering its recently departed CEO’s LinkedIn account, but that the former CEO could proceed to trial on her state law misappropriation claim. In addition, California, Illinois, and Massachusetts recently joined Maryland in enacting laws prohibiting the practice of requesting access to prospective employees’ password-protected social media accounts.
Client Alert
Recently Enacted Legislation of Interest to California Employers
Authors: Ellen Connelly Cohen, Thomas N. Makris

September 30 was the last day for California Governor Edmund G. Brown, Jr. to sign or veto bills passed by the State Legislature during its 2011-2012 Regular Session. Governor Brown signed several bills of interest to California employers, including an overhaul of the Workers’ Compensation system, elimination of the Fair Employment and Housing Commission, new laws requiring accommodation of employees’ religious dress and grooming practices, restrictions on access to employees’ social media accounts, expanded state law protections for whistleblowers, and new rules governing employees’ rights to inspect their personnel files.

Bylined Article
How to Buy Cyberinsurance
Authors: David L. Beck, Rene L. Siemens

Exposure to network and data security breaches has grown exponentially in recent years, and the market for insurance to cover this risk has grown just as fast. With policies sold under names like "cyberinsurance," "privacy breach insurance" and "network security insurance,” the market for this coverage often seems chaotic, with premiums and terms varying dramatically from one insurer to the next. So before buying or renewing a cyberinsurance policy, it is crucial to understand what you are being offered and how to bargain for what you need.

Client Alert
Employ Me, Don’t Friend Me: Privacy in the Age of Facebook
Authors: James G. Gatto, Julia E. Judish, Amy L. Pierce, Meighan E. O'Reardon

With the unprecedented popularity of social media, individuals have increasingly been willing accomplices in undermining their own privacy. Few would have predicted that millions of people would voluntarily log onto the Internet and share detailed private information about themselves, their friends, family and employers. Users of social media have implemented varying privacy safeguards from unrestricted blogs to Facebook posts limited to a customized list of friends. Even those who seek privacy, however, must contend with a growing practice by employers and others of requesting access to password-protected social media accounts. Social media users have lost jobs and educational opportunities as a result of the increased scrutiny of these private postings. Maryland recently became the first state to enact a law prohibiting this practice; several other states and the U.S. Senate and House have similar legislation under review.

China Business Series: Personal Data Protection
Authors: Woon-Wah Siu, Qiaozhu Chen
Foreign companies doing business in China should consider adopting safeguards to protect employee personal data to reduce the risk of unauthorized disclosure or claims of infringement of privacy.

Bylined Article
I Know What You Watched Last Summer
Source: Law360
Authors: Christine A. Scheuneman, Catherine D. Meyer, Lauren Lynch Flick, Amy L. Pierce, Jennifer So

This Client Alert was republished in Law360 on May 11, 2012.

The Northern District of California continues the series begun by the Seventh Circuit in Sterk v. Redbox Automated Retail LLC, against class actions brought under the federal Video Privacy Protection Act and seeking lucrative liquidated damages simply because a "video tape service provider" retains records of customers' video purchases and rentals past the one-year cut-off.

Client Alert
U.S. Supreme Court Limits the Scope of "Actual Damages" in the Federal Privacy Act
Authors: Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce, Jennifer So
In its March 28 decision in Federal Aviation Administration v. Cooper, the U.S. Supreme Court interpreted the federal Privacy Act of 1974 and held that the term "actual damages," as used in the Act, does not include damages for mental or emotional distress. Because of its chameleon-like quality, the meaning of the term "actual damages" was considered in the particular context in which it appeared. The Court then found that, because Congress declined to authorize general damages for a violation of the Act, it was reasonable to infer that it intended "actual damages" to mean special damages for proven pecuniary loss.

Client Alert
California Court OKs Collecting Consumer ZIP Codes to Combat Credit Card Fraud
Authors: Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce, Jennifer So

Just over a year after it was filed, Chevron Corporation and other oil companies won dismissal of a putative privacy class action filed after the California Supreme Court's decision in Pineda v. Williams-Sonoma Stores, Inc. The complaint alleged that oil companies collecting consumers' ZIP codes at the gas pump violated California's Song-Beverly Credit Card Act. The Los Angeles Superior Court disagreed, deeming the plaintiff's argument that the Act applies to the oil companies' fraud prevention efforts "absurd." The gas pump case had already inspired a new California law permitting anti-fraud ZIP code collection.

Client Alert
Avoid Being in the Spotlight of California's 'Shine the Light' Privacy-Related Law
Authors: Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce, Jennifer So
Eight years after California's "Shine the Light" privacy-related law (S.B. 27) went into effect, five putative class actions alleging violations of Civil Code Section 1798.83 have been filed. The law regulates businesses that disclose customers' personal information to third parties for direct marketing purposes, requiring that customers be informed of the disclosures. Each violation can mean a $3,000 civil penalty.

Client Alert
"Perfect Storm" of EU Data Law Changes; New 2% of Global Revenue Fine Announced. Are you Ready?
Authors: Rafi Azim-Khan
The EU proposals announced a few days ago are just the latest developments over recent months which have seen major data protection law changes come into force that affect not just UK or EU companies but any company, particularly US, deemed to be caught "processing" EU data. New fines increasing penalties from £5,000 to £500,000 per offence, implementation of the E-Privacy Directive (and new restrictions on cookie use, tracking and customer profiling), a newly appointed enforcer in the UK, new website policing for the first time and so on have all helped focus attention on what has been for many a hitherto "bothersome" or "dull" compliance topic.

Client Alert
Third Circuit Finds No Willful Violation of FACTA for Printing Partial Expiration Date
Authors: Christine A. Scheuneman, Brian D. Martin, Amy L. Pierce, Nathaniel R. Smith

The Third Circuit confirmed that, while the merchant’s printing of a partial credit card expiration date on the customer’s receipt violated the Fair and Accurate Credit Transactions Act, the merchant’s interpretation of Section 1681c(g)(1) of FACTA had been objectively reasonable. The court also recognized that "[t]hese are issues of first impression among the federal courts of appeals."

Client Alert
Doing Business in Europe? Social Media Prosecution in Germany Flags Data Consent Problem for All Businesses
Authors: Rafi Azim-Khan, Steven P. Farmer
Do you transfer personal data from Europe to the US? Do you use cookies on a website which is aimed at European customers? Do you send marketing emails to Europe? Do you otherwise "process" data in Europe? Do you really have consent to process personal data? If any of these questions strike a chord with you, then you should certainly note recent trends in the EU regarding the concept of "consent," not least the news from Germany that Facebook is to be prosecuted (and potentially fined up to $400,000) over its facial recognition software feature and for failure to properly obtain consents.

Employee Data Privacy—An Overview of Employer Responsibilities
Source: also found in Perspectives: An Executive Compensation, Benefits & Human Resources Law Update - Fall 2011 | Volume 2, Edition 3
Authors: Scott E. Landau, Bradley A. Benedict
Employers collect a substantial amount of personal information about their employees. Companies need to be aware of their obligations under the profusion of data protection laws and regulations that govern the collection, use and transfer of personal information. This is an especially daunting task for companies that have operations subject to the laws of multiple jurisdictions, as requirements vary widely from country to country and even from state to state. This Advisory summarizes some basic concepts to consider under current data privacy laws that relate to human resources matters.

Client Alert
Carded at the Virtual Door: Distilled Spirits Face New Digital Marketing Guidelines
Authors: Robert B. Burlingame
On September 30, 2011, a new set of digital marketing guidelines went into effect for distilled spirits companies in the United States and Europe.

Client Alert
Retailers Recording ZIP Codes: Class Action Fuel in California, Uncertainty In New Jersey
Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Christine A. Scheuneman, Fusae Nara, Amy L. Pierce
Within weeks of each other, New Jersey Superior Court Judge Hansbury and U.S. District Court Judge Walls—each ruling on a motion to dismiss a claim brought under New Jersey's Truth in Consumer Contract, Warranty and Notice Act—disagreed about whether such a claim may be premised on an alleged violation of New Jersey's privacy law, N.J.S.A. 56:11-17. Whether New Jersey will follow California, interpreting "personal identification information" to include a ZIP code, remains to be seen.

Craigslist Defeats Claim that Song-Beverly Credit Card Act Governs Online Transactions
Authors: Deborah S. Thoren-Peden, Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce

San Francisco Superior Court sustains craigslist, Inc.’s demurrer to plaintiff Norman Gonor’s class action alleging violations of California’s Song-Beverly Credit Card Act in connection with online transactions involving credit cards.

2011 Crisis Management Survey
A new survey conducted by Pillsbury Winthrop Shaw Pittman's Crisis Management Team and Levick Strategic Communications found that though 60 percent of survey respondents said their companies have a crisis plan in place, just 29 percent felt very confident their organization would respond effectively if a crisis occurred. Another 56 percent said they felt somewhat confident.

Client Alert
FCC Forum to Focus on Privacy Issues With Location-Based Services, Cell Phone Tracking
Authors: Lauren Lynch Flick, John L. Nicholson
A unique interagency initiative with the FTC will bring together experts in both the technical aspects of location-based services and the privacy concerns raised by LBS on June 28, 2011. Interested parties may file comments to be incorporated in a staff report to the Commission until July 8.

Client Alert
Doing Business Online in Europe? New Law Will Require Customer Consent for Cookies
Authors: Rafi Azim-Khan, Steven P. Farmer
An important new European Directive, which comes into force on 25 May 2011, will require companies with European customers to get informed consent from such visitors to their websites in order to use cookies. The Directive has pan-EU effect. The UK Information Commissioner's Office ("ICO") have recently published much-anticipated advice on how to comply with the new law from a UK perspective.

Client Alert
Major Boston Restaurant Group That Failed to Secure Personal Data to Pay $110,000 Penalty
Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Amy L. Pierce
The Briar Group, LLC, which owns and operates popular bars and restaurants in the Boston area including The Lenox, MJ O’Connor's, Ned Devine's, The Green Briar, and The Harp, settled with Massachusetts' Attorney General for allegedly "putting the payment card information of consumers at risk."

White Paper
Taking Corporate eMail to the Cloud: The Stored Communications Act and Control
Authors: Shawn P. Thomas, John L. Nicholson, Wayne C. Matus
While there is essentially no case law directly addressing discovery of corporate email held by Cloud providers, there are some instructive analogs found in cases involving third-party email providers under the Stored Communications Act, 18 U.S.C. §§ 2701-2712 ("SCA") and in cases addressing the concept of "control" under Fed. R. Civ. P. 34(a) that should be considered by large corporations thinking of migrating email to the Cloud.

Client Alert
New Sheriff For Websites & Social Media: Remit Extension Comes Into Force
Authors: Rafi Azim-Khan, Steven P. Farmer
Some website content has, until now, escaped policing. This has now changed with a new website/social media regulator. The implications extend beyond the UK. In his capacity as Chair of the Advertising Law Group, Rafi Azim-Khan (Partner, London) recently hosted a meeting with the Chief Executive of the UK Advertising Standards Authority (ASA), to investigate the practical implications of the 1 March 2011 change and enforcement priorities. From this meeting we learned more about the ASA remit extension, which covers all website/new media content, not just paid-for space or messaging, and applies to all sectors.

Client Alert
Obtaining Insurance Coverage for the New Wave of Class Action Lawsuits Filed Against Merchants Recording Zip Codes
Authors: Robert L. Wallan, Kimberly Buffington
The California Supreme Court's February 10 decision in Pineda v. Williams-Sonoma has already spawned a wave of class action lawsuits, many of which may constitute covered losses under a business's Directors and Officers ("D&O") or Commercial General Liability ("CGL") insurance policies.

Client Alert
California Supreme Court: "Requesting and Recording a Cardholder's ZIP Code" Violated State Law
Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Amy L. Pierce, Greg Johnson, Meredith E. Nikkel
On February 10, 2011, in Pineda v. Williams-Sonoma Stores, Inc., the California Supreme Court reversed the Fourth District Appellate Court, holding that the definition of "personal identification information" in California's Song-Beverly Credit Card Act of 1971 includes a customer's ZIP code. The Court concluded that the word "address" in California Civil Code section 1747.08 "should be construed as encompassing not only a complete address, but also its components."

NJ Court Denies Injunction Sought by Amex and Merchants Over Prepaid Card Data Law
Authors: Amy L. Pierce, Deborah S. Thoren-Peden
On January 13, 2011, Judge Freda L. Wolfson, U.S. District Judge, District of New Jersey, denied an emergency motion for preliminary injunction from the New Jersey Retail Merchants Association, New Jersey Food Council and American Express Prepaid Card Management Corporation. The motion sought construction of the NJ Court’s Order dated Nov. 13, 2010, and a preliminary injunction to stop the State of New Jersey from enforcing the recent data collection amendments to its Unclaimed Property Law, as well as portions of the New Jersey Treasury announcements dated Nov. 23 and Nov. 24, 2010.

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate
Authors: Meighan E. O'Reardon, John L. Nicholson

Effective August 18, 2010, any entity licensed by or registered with the Connecticut Department of Insurance must notify the Connecticut Insurance Commissioner within five days of an "information security incident" involving a Connecticut resident's personal health, financial or personal information that places such resident at risk.1 Connecticut's insurance notification mandate is the first such measure by a state, adding to the already tangled web of state and Federal data breach notification standards and requirements.

EU Data Protection Opinion on Behavioural Ads & Cookies – Clarifying or Confusing?
Authors: Rafi Azim-Khan

Anybody who recalls the Tom Cruise scene in Minority Report, where he is bombarded by marketing messages in response to the scanning of his “new” eyes by each store he passes, will have an idea of one possible advertisers’ utopia. In the real world, the pressure to have ever-more-targeted marketing based on detailed user/customer profiles is coming up against increasing attempts to restrict/control such efforts, given regulators’ privacy concerns. This tension is currently highlighted by the issue of cookie use and consents.

Client Alert
U.S. Supreme Court Reminds Employers to Update E-Communication Privacy Policies
Authors: Christine Nicolaides Kearns, Rebecca Carr Rizzo

On June 17, the U.S. Supreme Court unanimously upheld the legality of the Ontario, California Police Department's audit of police Sgt. Jeff Quon’s text messages in his department-issued pager, in City of Ontario v. Quon. Declining to issue a broad holding on employee privacy rights in electronic communications, the Court decided the case on the narrow point that, even assuming that Quon had a reasonable expectation of privacy in his text messages, the search was reasonable because it was motivated by a legitimate work-related purpose and was not excessive in scope. Nonetheless, the opinion emphasized the importance of well-crafted employer privacy policies, noting that “employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.”

Class Actions Against Merchants Continue as Courts Interpret Law Protecting Personal Info
Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Amy L. Pierce, Greg Johnson, Meredith E. Nikkel

In the wake of several court decisions, four retailers have come under attack for alleged violations of California’s Song-Beverly Credit Card Act in the collection and recording of their credit card customers’ personal information at the point-of-sale.

Case Study
December 2009
Shutting Down Massive Class Actions

“Pillsbury ... was the first to warn operators late last year that the industry was vulnerable to facing a number of class-action lawsuits stemming from FACTA violations.”

Nation’s Restaurant News, September 15, 2007

New Maine Regulation Prohibits Predatory Marketing Practices Against Minors
Authors: Catherine D. Meyer, Anna Park

On June 2, 2009, the Maine legislature enacted "An Act to Prevent Predatory Marketing Practices against Minors" prohibiting, among other things, the collection and use of a minor's health-related and personal information without the verifiable consent of the minor's parent or legal guardian. This law, among the first of its kind to be passed by a state legislature, demonstrates a significant step by a state toward preventing persons from using information relating to minors for marketing purposes.

Client Alert
FTC Announces Extension of Identity Theft Red Flag Rule Enforcement Deadline to August 1, 2009
Authors: Catherine D. Meyer, Meighan E. O'Reardon, John L. Nicholson

On January 1, 2008, six federal agencies issued final Rules on Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions (FACT) Act of 2003. The Rules implement § 114 and § 315 of the FACT Act, which specifically call for “establishment of procedures for the identification of possible instances of identity theft” and “reconciling addresses.” Guidelines and supplemental information were released to assist entities who were originally required to comply by November 1, 2008. Companies under FTC jurisdiction must now comply by August 1, 2009.

Client Alert
Facebook Controversy and FTC Report Reaffirm Need for Clarity and Transparency in Website Terms
Authors: Michael P. Heuga, Anna Park

The uproar last week over Facebook’s proposed changes to its terms of service illustrates loudly and clearly that although many people may not read the “fine print” on websites, there are plenty of interested parties who do. Whether your company is engaged in an Internet-based business or simply maintains a website as one mechanism for interacting with customers or other members of the public, it is just as important now as it has been since the early days of the Internet to state the privacy and other terms of your online presence with complete transparency, in a clear, concise, and consumer-friendly manner.

A report issued by the Federal Trade Commission (FTC) on February 12, 2009, is the latest guidance from the FTC to drive home these points in the context of online privacy terms.

Client Alert
New California Law Clamps Down on Unauthorized Viewing of Medical Records

The California Legislature has taken dramatic steps to stop and punish the unauthorized viewing of patient medical records. This legislative action was in direct response to several high-profile privacy breaches at UCLA Medical Center and recent reports that medical records “snooping” is a much broader problem than previously thought.

Bylined Article
September 2008
Final Federal Rules Require Identity Theft Prevention Programs to Be Implemented in 2008, Part 2
Source: Electronic Banking Law & Commerce Report, Vol. 13, Issue 7
Authors: Meighan E. O'Reardon, John L. Nicholson

On November 1, 2008, many businesses will be expected to comply fully with new identity theft rules (the "Red Flag Rules") promulgated by six Federal financial regulators.1 For background on these rules and requirements, please refer to Part 1 of this article in the August 2008 issue of Electronic Banking Law and Commerce Report.2 By now, most organizations subject to these requirements are actively developing and implementing their Identity Theft Prevention Programs. As organizations strive to meet the compliance deadlines, the following additional observations about the rules and current implementation efforts have been compiled.

Client Alert
U.S. Customs May Review Electronic Device Contents Without Reasonable Suspicion
Authors: Catherine D. Meyer, Chelcey E. Lieber

Businesses should alert their employees and executives carrying laptops, BlackBerry handhelds, iPhones and other electronic devices as they travel abroad that U.S. Customs can search and even impound them on re-entry to the United States. The recent ruling in United States v. Arnold permits customs officials to treat laptops, digital storage, digital cameras, and other electronic devices like any other piece of baggage, meaning they can search the contents of such devices at the border, including at international airports, without any reasonable suspicion.

Client Alert
FACTA Update: Amendment Renders Most Class Actions Under Statute Moot
Authors: Robert L. Wallan, Mariah Brandt

Section 1681c(g) of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) prohibits businesses that accept credit or debit cards from including “more than the last five digits of the card number or the expiration date” on electronically printed receipts provided to the customer at the point of sale or transaction. Since FACTA took full effect, hundreds of nearly identical class action suits have been filed in federal courts nationwide against a broad range of retailers and restaurants. A recently enacted amendment to FACTA renders most of these class action cases moot.

Client Alert
Lawsuits Against Retailers Attack Collection of Zip Code at Point of Sale
Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Daveed A. Schwartz

Five class action complaints have been filed against retailers in the California Superior Courts since mid-April 2008, raising yet another attack under California's Song Beverly Credit Card Act (California Civil Code Section 1747.08). While there have been a spate of class actions filed over the past several years which alleged that retailers violated this statute by requesting telephone numbers or email addresses, these new actions allege that the retailers' collection of customers' Zip Code information without other personally identifiable information violates the statute. Four of the cases were filed in San Diego County and one in Sacramento County.

Client Alert
SEC’s Proposal on Regulation S-P Would Require More Privacy Measures by Financial Institutions and Employees
Authors: David L. Stanton, Jeffrey R. Zuckerman, Alex Ponce de León

On March 4, 2008, the Securities and Exchange Commission issued proposed amendments to Regulation S-P that would require financial institutions to take numerous additional steps to ensure the privacy of their customers’ information. While not yet in effect, the proposal conveys the staff’s current views on information security practices. Those wishing to submit comments must do so within 60 days of the proposal’s pending publication in the Federal Register.

Fall 2005
Global Update
Authors: Andrew C. Smith, Fusae Nara, Tim Wright, E. Weir; L. Copeman; J. M. Tannon; H. Jerry; A. Young; C. Fairweather O'Donoghue, M. McMahon; Warwick Andersen
Pillsbury Pillsbury Pillsbury