Sorry for interrupting, but there is something we need to tell you...

We have updated our Cookie Policy to reflect changes in the law on cookies used on websites in Europe. This website uses cookies to maximize your experience and help us to understand how we can improve it. To find out more click here.

Cookies are text files containing small amounts of data which are downloaded to your computer, or other device, when you visit a website. Cookies allow us to recognize your computer and improve your experience on our website. Some cookies are also necessary for the technical operation of our website. Please read our Cookie Policy which provides important information about the cookies we use, how we use them and how they can be deleted. Please remember that deleting cookies may affect your experience of our website.

Show less.

Accept and hide this message
Pillsbury Pillsbury Pillsbury
Pillsbury

Privacy, Data Security & Information Use

Publications
Bylined Article
7/22/2014
The Admiral Sets A Good Course
This article was originally published on The Huffington Post on June 20, 2014.
Authors: Brian E. Finch
Admiral Mike Rogers, the new leader of the National Security Agency and Cyber Command at the Defense Department, certainly has taken a different approach from his predecessor, General Keith Alexander. Right out of the gate, Admiral Rogers noted that the NSA had a public image issue and that it had lost some of its credibility with the American public.

Advisory
7/8/2014
California Court Limits Liability for Loss of Certain Patient Information under CMIA
Authors: Joseph R. Tiffany, Connie J. Wolfe, Ph.D., Allen Briskin

California appellate courts are clarifying potential liability under California’s Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq. (“CMIA”) of health care providers, health plans, pharmaceutical companies and others for the unauthorized disclosure of medical information. The CMIA provides that an individual may recover $1,000 nominal damages (plus actual damages if any) from a health care provider or other covered party that negligently releases that individual’s medical information. In data breaches involving large numbers of records and individuals, the potential liability can be enormous even without proof of any damages.

Bylined Article
6/20/2014
Rethinking Cyber Defense
Source: Fox Business.com
Authors: Brian E. Finch

This article was originally published on Fox Business.com on June 20, 2014.

Client Alert
6/5/2014
California AG Issues New Privacy Policy and “Do Not Track” Compliance Guidelines, Announces Proactive Enforcement
Authors: Andrew D. Lanphere, Catherine D. Meyer, Roxane A. Polidora, Jacob R. Sorensen

The California Attorney General recently released a series of guidelines to assist with compliance with the California Online Privacy Protection Act of 2003 (CalOPPA), which was amended to require new data collection and Do Not Track disclosures. These guidelines offer assistance regarding the form and content of operators’ privacy policies. The AG has stated she will actively enforce operators’ compliance with CalOPPA, including through litigation. Operators of websites and online services that are used or visited by California residents should ensure as soon as possible that their privacy policies comply with the AG’s guidelines.

Client Alert
5/12/2014
New Canadian Anti-Spam Rules to Take Effect July 1, 2014
Authors: Catherine D. Meyer, Deborah S. Thoren-Peden, Michael P. Heuga, Amy L. Pierce

Businesses that use “commercial electronic messages” to market to customers and prospective customers in Canada should be aware of Canada’s new anti-spam rules, which require, among other things, the sender to obtain consent from the recipient before sending the message and the message itself to identify the sender and provide instructions enabling the recipient of the message to withdraw consent to receive such messages.

Client Alert
3/31/2014
FTC Expands Focus on Tracking and Use of Consumers’ Location Data
In-store monitoring of shoppers’ mobile devices under scrutiny.
Authors: Roxane A. Polidora, Catherine D. Meyer, Lindsay A. Lutz, Kristen E. Baker

Over the past few years, the Federal Trade Commission (“FTC”) has provided guidance regarding mobile platforms and app providers’ practices of collecting data about consumers’ locations through their mobile devices, with a focus on transparency and notice to consumers. The FTC recently hosted a spring seminar on emerging consumer privacy issues that focused on a new type of mobile device tracking: brick-and-mortar businesses tracking consumer movements in or around their premises using signals from the consumer’s mobile device.

Client Alert
3/25/2014
Class Certification Properly Denied Where Individual Questions Predominated Under California’s Telephone Recording Statutes
Authors: Brian D. Martin, Roxane A. Polidora, Richard M. Segal, Andrew D. Bluth

The California Court of Appeal unanimously affirmed a trial court ruling denying class certification in a lawsuit filed under California’s Invasion of Privacy Act. The Court held that the determination of whether each potential class member had a reasonable expectation that his or her phone conversations would not be recorded would require too many individual fact inquiries to be treated on a class basis.

Bylined Article
2/27/2014
Remain Vigilant: Managing Cybersecurity Risks in Third-Party Outsourcing Relationships
Source: Corporate Compliance Insights
Authors: Meighan E. O'Reardon, Aaron M. Oser

This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insights.

Bylined Article
February 2014
Personal Data Transfers from the European Economic Area: Binding Corporate Rules Emerge as Increasingly Attractive Option
Source: World Data Protection Report (Bloomberg BNA)
Authors: Rafi Azim-Khan, Steven P. Farmer

This article was originally published in the February 2014, Volume 14, Number 3 issue of Bloomberg BNA's World Data Protection Report.

Publication
2/18/2014
National Cybersecurity Framework Released – Has Your Organization Considered the Implications?
Authors: Catherine D. Meyer, Meighan E. O'Reardon, Deborah S. Thoren-Peden, Amy L. Pierce

On February 12, 2014, the National Institute of Standards and Technology (“NIST”) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework” or “Framework”) and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap”). The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.

Bylined Article
November 2013
U.K. Court of Appeal’s Award of Compensation for Distress to an Individual Following a Breach of the Data Protection Act: Opening the Floodgates for Claims by Individuals?
Source: World Data Protection Report
Authors: Steven P. Farmer

This article was published in World Data Protection Report, November 2013, published by Bloomberg BNA (www.bna.com).

Client Alert
10/2/2013
California Internet Privacy Bill Signed by Governor, Effective Jan. 1
Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Amy L. Pierce, Elsa S. Broeker

On Friday, September 27, 2013, California Governor Edmund G. Brown signed Assembly Bill 370, a bill that amends the Business & Professions Code § 22575 to require an operator of a commercial Internet website or online service that collects personally identifiable information about consumers residing in California who use or visit its website or service to disclose how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of PII about the consumer’s online activities, and to disclose whether others may collect PII when a consumer uses the operator’s website or online service.

Bylined Article
7/22/2013
Help Clients Insure Against Cyberattacks
Source: Texas Lawyer
Authors: Vincent E. Morgan

This article was originally published in the July 22, 2013 issue of Texas Lawyer.

Bylined Article
June 2013
Mobile Privacy Practices: Recent California Developments Indicate What's to Come
Source: Computer Law Review International
Authors: James Chang, James G. Gatto, Meighan E. O'Reardon

This article was originally published in the June 2013 issue of Computer Law Review International (CRi).

Bylined Article
April 2013
Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0
Source: World Data Protection Report
Authors: Rafi Azim-Khan, Steven P. Farmer

What exactly is the ‘"best" solution for an international business needing to handle and transfer personal data across borders?

Advisory
4/2/2013
Protecting Personal Data in China
Authors: Woon-Wah Siu, Julian Zou

This advisory is one of a series prepared by Pillsbury's China Practice on questions frequently asked by our clients doing business in China. In June 2012, we published an advisory on personal data protection in China in which we also suggested some best practices. Here, we are updating that advisory to reflect new regulations adopted in the past six months.

Client Alert
2/7/2013
Omnibus Final Rule Issued on HIPAA/ HITECH Act: Significant Changes for ‘Business Associates’
Authors: Gerry Hinkley, Allen Briskin, Caitlin B. Bloom

On January 25, 2013, the Department of Health and Human Services published the much-anticipated Omnibus Final Rule (the “Final Rule”), which, with respect to business associates and their subcontractors, conforms HIPAA’s Privacy and Security Rules to a number of changes brought about by the HITECH Act, implements a number of regulatory changes seen in HHS’s proposed rule-making, and modifies a number of other proposed regulatory changes.

Client Alert
1/25/2013
New Binding Corporate Rules Now Available for Data Processors
Authors: Steven P. Farmer, Simon J. Lightman, Meighan E. O'Reardon
In a further push towards “privacy by design,” the Article 29 Working Party, which is made up of representatives from the various EU data protection authorities, has recently approved the use of Binding Corporate Rules (“BCRs”) for international transfers of personal data by data processors effective as of January 1, 2013.

Bylined Article
January 2013
European Parliament Rapporteur Albrecht Proposes Key Amendments to the Commission’s Draft Data Protection Regulation
Source: Bloomberg BNA
Authors: Steven P. Farmer

In December 2012, Jan Philipp Albrecht, a Rapporteur for the European Parliament, released a draft report (the ‘‘Report’’) on the European Commission’s proposed EU Data Protection Regulation (the ‘‘Draft Regulation’’), which is intended to replace the existing legislative framework that has been in place in the European Union since 1995 (see analysis at WDPR, February 2012, page 4).

Bylined Article
October 2012
A "Perfect Storm" of Data Law Changes; Are You Ready for a 2% of Global Turnover Fine?
Authors: Rafi Azim-Khan

Recent months and the EU January announcement have seen very major data protection law changes that affect not just UK or EU companies but any companies (particularly US) which are deemed to be caught by “processing” EU data.

Client Alert
10/16/2012
Drawing the Line Online: Employers’ Rights to Employees’ Social Media Accounts
Authors: James G. Gatto, Julia E. Judish, Thomas N. Makris, Amy L. Pierce
With the unprecedented popularity of social media, employees have increasingly used LinkedIn and other online forums to network for business and social purposes. When the line between personal and business use is blurred, litigation may ensue. A federal court recently ruled that an employer did not violate federal computer hacking laws by accessing and altering its recently departed CEO’s LinkedIn account, but that the former CEO could proceed to trial on her state law misappropriation claim. In addition, California, Illinois, and Massachusetts recently joined Maryland in enacting laws prohibiting the practice of requesting access to prospective employees’ password-protected social media accounts.
Client Alert
10/5/2012
Recently Enacted Legislation of Interest to California Employers
Authors: Ellen Connelly Cohen, Thomas N. Makris

September 30 was the last day for California Governor Edmund G. Brown, Jr. to sign or veto bills passed by the State Legislature during its 2011-2012 Regular Session. Governor Brown signed several bills of interest to California employers, including an overhaul of the Workers’ Compensation system, elimination of the Fair Employment and Housing Commission, new laws requiring accommodation of employees’ religious dress and grooming practices, restrictions on access to employees’ social media accounts, expanded state law protections for whistleblowers, and new rules governing employees’ rights to inspect their personnel files.

Bylined Article
9/28/2012
How to Buy Cyberinsurance
Authors: David L. Beck, Rene L. Siemens

Exposure to network and data security breaches has grown exponentially in recent years, and the market for insurance to cover this risk has grown just as fast. With policies sold under names like "cyberinsurance," "privacy breach insurance" and "network security insurance,” the market for this coverage often seems chaotic, with premiums and terms varying dramatically from one insurer to the next. So before buying or renewing a cyberinsurance policy, it is crucial to understand what you are being offered and how to bargain for what you need.

Client Alert
6/11/2012
Employ Me, Don’t Friend Me: Privacy in the Age of Facebook
Authors: James G. Gatto, Julia E. Judish, Amy L. Pierce, Meighan E. O'Reardon

With the unprecedented popularity of social media, individuals have increasingly been willing accomplices in undermining their own privacy. Few would have predicted that millions of people would voluntarily log onto the Internet and share detailed private information about themselves, their friends, family and employers. Users of social media have implemented varying privacy safeguards from unrestricted blogs to Facebook posts limited to a customized list of friends. Even those who seek privacy, however, must contend with a growing practice by employers and others of requesting access to password-protected social media accounts. Social media users have lost jobs and educational opportunities as a result of the increased scrutiny of these private postings. Maryland recently became the first state to enact a law prohibiting this practice; several other states and the U.S. Senate and House have similar legislation under review.

Advisory
6/7/2012
China Business Series: Personal Data Protection
Authors: Woon-Wah Siu, Qiaozhu Chen
Foreign companies doing business in China should consider adopting safeguards to protect employee personal data to reduce the risk of unauthorized disclosure or claims of infringement of privacy.

Bylined Article
5/11/2012
I Know What You Watched Last Summer
Source: Law360
Authors: Christine A. Scheuneman, Catherine D. Meyer, Lauren Lynch Flick, Amy L. Pierce, Jennifer So

This Client Alert was republished in Law360 on May 11, 2012.

The Northern District of California continues the series begun by the Seventh Circuit in Sterk v. Redbox Automated Retail LLC, against class actions brought under the federal Video Privacy Protection Act and seeking lucrative liquidated damages simply because a "video tape service provider" retains records of customers' video purchases and rentals past the one-year cut-off.

Client Alert
4/6/2012
U.S. Supreme Court Limits the Scope of "Actual Damages" in the Federal Privacy Act
Authors: Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce, Jennifer So
In its March 28 decision in Federal Aviation Administration v. Cooper, the U.S. Supreme Court interpreted the federal Privacy Act of 1974 and held that the term "actual damages," as used in the Act, does not include damages for mental or emotional distress. Because of its chameleon-like quality, the meaning of the term "actual damages" was considered in the particular context in which it appeared. The Court then found that, because Congress declined to authorize general damages for a violation of the Act, it was reasonable to infer that it intended "actual damages" to mean special damages for proven pecuniary loss.

Client Alert
3/22/2012
California Court OKs Collecting Consumer ZIP Codes to Combat Credit Card Fraud
Authors: Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce, Jennifer So

Just over a year after it was filed, Chevron Corporation and other oil companies won dismissal of a putative privacy class action filed after the California Supreme Court's decision in Pineda v. Williams-Sonoma Stores, Inc. The complaint alleged that oil companies collecting consumers' ZIP codes at the gas pump violated California's Song-Beverly Credit Card Act. The Los Angeles Superior Court disagreed, deeming the plaintiff's argument that the Act applies to the oil companies' fraud prevention efforts "absurd." The gas pump case had already inspired a new California law permitting anti-fraud ZIP code collection.

Client Alert
3/1/2012
Avoid Being in the Spotlight of California's 'Shine the Light' Privacy-Related Law
Authors: Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce, Jennifer So
Eight years after California's "Shine the Light" privacy-related law (S.B. 27) went into effect, five putative class actions alleging violations of Civil Code Section 1798.83 have been filed. The law regulates businesses that disclose customers' personal information to third parties for direct marketing purposes, requiring that customers be informed of the disclosures. Each violation can mean a $3,000 civil penalty.

Client Alert
2/8/2012
"Perfect Storm" of EU Data Law Changes; New 2% of Global Revenue Fine Announced. Are you Ready?
Authors: Rafi Azim-Khan
The EU proposals announced a few days ago are just the latest developments over recent months which have seen major data protection law changes come into force that affect not just UK or EU companies but any company, particularly US, deemed to be caught "processing" EU data. New fines increasing penalties from £5,000 to £500,000 per offence, implementation of the E-Privacy Directive (and new restrictions on cookie use, tracking and customer profiling), a newly appointed enforcer in the UK, new website policing for the first time and so on have all helped focus attention on what has been for many a hitherto "bothersome" or "dull" compliance topic.

Client Alert
1/26/2012
Third Circuit Finds No Willful Violation of FACTA for Printing Partial Expiration Date
Authors: Christine A. Scheuneman, Brian D. Martin, Amy L. Pierce, Nathaniel R. Smith

The Third Circuit confirmed that, while the merchant’s printing of a partial credit card expiration date on the customer’s receipt violated the Fair and Accurate Credit Transactions Act, the merchant’s interpretation of Section 1681c(g)(1) of FACTA had been objectively reasonable. The court also recognized that "[t]hese are issues of first impression among the federal courts of appeals."

Client Alert
11/16/2011
Doing Business in Europe? Social Media Prosecution in Germany Flags Data Consent Problem for All Businesses
Authors: Rafi Azim-Khan, Steven P. Farmer
Do you transfer personal data from Europe to the US? Do you use cookies on a website which is aimed at European customers? Do you send marketing emails to Europe? Do you otherwise "process" data in Europe? Do you really have consent to process personal data? If any of these questions strike a chord with you, then you should certainly note recent trends in the EU regarding the concept of "consent," not least the news from Germany that Facebook is to be prosecuted (and potentially fined up to $400,000) over its facial recognition software feature and for failure to properly obtain consents.

Advisory
10/20/2011
Employee Data Privacy—An Overview of Employer Responsibilities
Source: also found in Perspectives: An Executive Compensation, Benefits & Human Resources Law Update - Fall 2011 | Volume 2, Edition 3
Authors: Scott E. Landau, Bradley A. Benedict
Employers collect a substantial amount of personal information about their employees. Companies need to be aware of their obligations under the profusion of data protection laws and regulations that govern the collection, use and transfer of personal information. This is an especially daunting task for companies that have operations subject to the laws of multiple jurisdictions, as requirements vary widely from country to country and even from state to state. This Advisory summarizes some basic concepts to consider under current data privacy laws that relate to human resources matters.

Client Alert
10/12/2011
Carded at the Virtual Door: Distilled Spirits Face New Digital Marketing Guidelines
Authors: Robert B. Burlingame
On September 30, 2011, a new set of digital marketing guidelines went into effect for distilled spirits companies in the United States and Europe.

Client Alert
10/11/2011
Retailers Recording ZIP Codes: Class Action Fuel in California, Uncertainty In New Jersey
Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Christine A. Scheuneman, Fusae Nara, Amy L. Pierce
Within weeks of each other, New Jersey Superior Court Judge Hansbury and U.S. District Court Judge Walls—each ruling on a motion to dismiss a claim brought under New Jersey's Truth in Consumer Contract, Warranty and Notice Act—disagreed about whether such a claim may be premised on an alleged violation of New Jersey's privacy law, N.J.S.A. 56:11-17. Whether New Jersey will follow California, interpreting "personal identification information" to include a ZIP code, remains to be seen.

Advisory
9/8/2011
Craigslist Defeats Claim that Song-Beverly Credit Card Act Governs Online Transactions
Authors: Deborah S. Thoren-Peden, Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce

San Francisco Superior Court sustains craigslist, Inc.’s demurrer to plaintiff Norman Gonor’s class action alleging violations of California’s Song-Beverly Credit Card Act in connection with online transactions involving credit cards.

Survey
8/11/2011
2011 Crisis Management Survey
A new survey conducted by Pillsbury Winthrop Shaw Pittman's Crisis Management Team and Levick Strategic Communications found that though 60 percent of survey respondents said their companies have a crisis plan in place, just 29 percent felt very confident their organization would respond effectively if a crisis occurred. Another 56 percent said they felt somewhat confident.

Client Alert
5/24/2011
FCC Forum to Focus on Privacy Issues With Location-Based Services, Cell Phone Tracking
Authors: Lauren Lynch Flick, John L. Nicholson
A unique interagency initiative with the FTC will bring together experts in both the technical aspects of location-based services and the privacy concerns raised by LBS on June 28, 2011. Interested parties may file comments to be incorporated in a staff report to the Commission until July 8.

Client Alert
4/5/2011
Major Boston Restaurant Group That Failed to Secure Personal Data to Pay $110,000 Penalty
Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Amy L. Pierce
The Briar Group, LLC, which owns and operates popular bars and restaurants in the Boston area including The Lenox, MJ O’Connor's, Ned Devine's, The Green Briar, and The Harp, settled with Massachusetts' Attorney General for allegedly "putting the payment card information of consumers at risk."

Client Alert
2/24/2011
Obtaining Insurance Coverage for the New Wave of Class Action Lawsuits Filed Against Merchants Recording Zip Codes
Authors: Robert L. Wallan, Kimberly Buffington
The California Supreme Court's February 10 decision in Pineda v. Williams-Sonoma has already spawned a wave of class action lawsuits, many of which may constitute covered losses under a business's Directors and Officers ("D&O") or Commercial General Liability ("CGL") insurance policies.

Client Alert
2/11/2011
California Supreme Court: "Requesting and Recording a Cardholder's ZIP Code" Violated State Law
Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Amy L. Pierce, Greg Johnson, Meredith E. Nikkel
On February 10, 2011, in Pineda v. Williams-Sonoma Stores, Inc., the California Supreme Court reversed the Fourth District Appellate Court, holding that the definition of "personal identification information" in California's Song-Beverly Credit Card Act of 1971 includes a customer's ZIP code. The Court concluded that the word "address" in California Civil Code section 1747.08 "should be construed as encompassing not only a complete address, but also its components."

Advisory
1/18/2011
NJ Court Denies Injunction Sought by Amex and Merchants Over Prepaid Card Data Law
Authors: Amy L. Pierce, Deborah S. Thoren-Peden
On January 13, 2011, Judge Freda L. Wolfson, U.S. District Judge, District of New Jersey, denied an emergency motion for preliminary injunction from the New Jersey Retail Merchants Association, New Jersey Food Council and American Express Prepaid Card Management Corporation. The motion sought construction of the NJ Court’s Order dated Nov. 13, 2010, and a preliminary injunction to stop the State of New Jersey from enforcing the recent data collection amendments to its Unclaimed Property Law, as well as portions of the New Jersey Treasury announcements dated Nov. 23 and Nov. 24, 2010.

Pillsbury
Pillsbury Pillsbury Pillsbury