Sorry for interrupting, but there is something we need to tell you...

We have updated our Cookie Policy to reflect changes in the law on cookies used on websites in Europe. This website uses cookies to maximize your experience and help us to understand how we can improve it. To find out more click here.

Cookies are text files containing small amounts of data which are downloaded to your computer, or other device, when you visit a website. Cookies allow us to recognize your computer and improve your experience on our website. Some cookies are also necessary for the technical operation of our website. Please read our Cookie Policy which provides important information about the cookies we use, how we use them and how they can be deleted. Please remember that deleting cookies may affect your experience of our website.

Show less.

Accept and hide this message
Pillsbury Pillsbury Pillsbury
Email Page Print Friendly Version Print Friendly Version Text Size Subscribe
    Customized Cybersecurity Assessment – Finding and Fixing Your Vulnerabilities

    Privacy, Data Security & Information Use


    Deborah S. Thoren-Peden

    Rafi Azim-Khan

    Client Alert
    FTC Issues New Guidance for Mobile App Developers that Collect Location Data
    Authors: James G. Gatto, Catherine D. Meyer, Elsa S. Broeker, Amy L. Pierce

    A mobile app that collects users’ location data while the mobile app is not in use should clearly disclose such practices and provide users with choices. Failure to do so could give rise to an FTC claim of deceptive practices.

    Client Alert
    How to Fail in the Internet of Things
    Authors: Brian E. Finch, Roxane A. Polidora, Catherine D. Meyer, Lindsay A. Lutz, Philip Shecter

    Innovation is prized in the growing space of the Internet of Things (IoT). But an innovative product design is not enough, and potential pitfalls abound. As demonstrated in a report published by the Federal Trade Commission (FTC), privacy and security need to be at the forefront of developers’ minds. Here are five lessons on what not to do when developing a connected product.

    Client Alert
    Stop Calling Me: Can Consumers Waive The Right to Revoke Consent under the TCPA?
    Authors: Andrew D. Bluth, Elaine Lee, Catherine D. Meyer, Amy L. Pierce

    This article was published in Law360 on January 22, 2015.

    The Telephone Consumer Protection Act permits companies to make telephone solicitations using autodialers and pre-recorded messages once they have a consumer’s consent to do so. Many authorities have suggested that such consent can later be revoked. However, it remains an open issue whether a consumer can waive his or her right to revoke consent, contractually or otherwise.

    Bylined Article
    IT Workers of the World Unite!
    Source: Fox Business
    Author: Brian E. Finch

    CISOs and CIOs, this is your big your chance. Seize it.

    The Sony Pictures data breach could well be a curse for many of you, but it is also a golden opportunity. You’ll never again have such a great chance to call attention to your needs, much less your challenges.

    Bylined Article
    Why Cybersecurity Must Be Defined By Process, Not Tech
    Source: Wall Street Journal's CIO Journal
    Author: Brian E. Finch

    This article was originally published in The Wall Street Journal's CIO Journal on December 11, 2014.

    As cyber-attackers grow more sophisticated, the best and most realistic cyber defense strategy for CIOs is process-based.

    Perhaps the most challenging question associated with cybersecurity is determining whether “enough” security has been implemented. For CIOs, risk managers, directors and officers, this is no abstract question. The inability to get cybersecurity “right” will certainly lead to losses, including possible job losses.

    Bylined Article
    5 Questions for the New Defense Secretary
    Source: Fox Business
    Author: Brian E. Finch

    This article was originally published on Fox Business on December 2, 2014.

    “Revolving door” is a favorite pejorative term associated with the Washington job market. It refers to the cycle of lawyers, lobbyists, and policymakers that leap between private sector jobs and mid to high-level bureaucratic or legislative spots. Many, such as the President, decry this “plague” as creating a culture of coziness that devalues the interests of Joe Taxpayer.

    Bylined Article
    Cyber Neologisms Likely Headed for the Dictionary
    Source: Fox Business
    Author: Brian E. Finch

    This article was originally published on Fox Business on November 21, 2014.

    I am fascinated by the idea of creating new words out of thin air. It is an interesting concept that slang such as “selfie” and “ginormous” can officially become part of the English language.

    Given that, I have come up with some new words (and phrases) to try and capture some of what is going on in the world of cybersecurity. With that, in no particular order, I give you my official list of cyber neologisms:

    Bylined Article
    Five Cyber Security Takeaways from the Mid-Term Elections
    Source: The Huffington Post
    Author: Brian E. Finch

    This article was originally published on The Huffington Post on November 12, 2014.

    While not a much-discussed topic during campaign season, federal policy on cyber-security will likely see some material changes as a result of a Republican-controlled Senate. Just how significant those changes will be has yet to be determined, but here are some thoughts on probable outcomes:

    Bylined Article
    The Truth About Cyber Threat Information Sharing
    Author: Brian E. Finch

    This article was originally published on Fox Business on November 5, 2014.

    Everywhere you turn, someone is calling for increased cyber threat information sharing: Congressional members, former Congressional members, former Executive branch officials, learned experts, my Aunt Selma (but not Patty).

    Enough. I’m sick of hearing about it.

    Bylined Article
    October 2014
    Prioritising Privacy
    Source: Managing Partner
    Author: Rafi Azim-Khan

    This article was originally published in the October 2014 issue of Managing Partner.

    Law firms and clients that are caught unaware of changes to international data protection legislation risk heavy fines.

    Bylined Article
    Americans Increasingly Blasé Over Data Breaches
    Source: Fox Business
    Author: Brian E. Finch

    This article was originally published on Fox Business on October 15, 2014.

    If you have gotten to the point where you read about yet another data breach and thought “ho hum,” you are not alone. It is hard not to feel that way – it seems as if basically every place you might shop or do business is suffering from a data breach. These hacks run the gamut of the consumer spectrum, from discount stores and sandwich shops to some of the most respected luxury chains and high profile banks.

    Bylined Article
    Steps Directors and CIOs Can Take to Minimize Cyberattack Losses
    Source: CIO Journal
    Authors: Brian E. Finch, Sarah A. Good

    This article was originally published in The Wall Street Journal's CIO Journal on October 6, 2014.

    No director or officer can effectively carry out their duties today without considering the possibility of a cyberattack disrupting or damaging their company, and the fact that they will be the target of blame after the attack.

    Bylined Article
    How Directors Can Mitigate Cyber Risk with the SAFETY Act
    Source: National Association for Corporate Directors
    Authors: Brian E. Finch, Sarah A. Good

    This article was originally published by the National Association for Corporate Directors on October 2, 2014.

    There is no shortage of advice on cyber security measures available to corporate directors. What’s missing from many discussions about cybersecurity however is an exploration of what measures are available to minimize a company’s exposure to litigation and financial loss in the aftermath of a cyberattack. This is due in part to the fact that, as of this writing, there is no established cybersecurity baseline directors can point to in order to demonstrate that their actions were reasonable or in line with a standard of care. Fortunately, there’s the SAFETY Act, a federal safe harbor law administered by the Department of Homeland Security that can establish a record of appropriate cybersecurity measures, thereby relieving many concerns associated about whether a company is doing enough to protect itself from cyber threats.

    Bylined Article
    Watch Your (Supply) Tail
    Source: The Huffington Post
    Author: Brian E. Finch

    This article was originally published on The Huffington Post on September 30, 2014.

    “My logisticians are a humorless lot,” Alexander the Great once commented. “They know if my campaign fails, they are the first ones I will slay.”

    Wow. Here I thought I had worked or some tough bosses in my day, but yikes.

    Bylined Article
    CIOs Spur Revenue Generation Through Smart Cybersecurity
    Source: The Wall Street Journal's CIO Journal
    Author: Brian E. Finch

    This article was originally published in The Wall Street Journal's CIO Journal on September 11, 2014.

    Today as companies increasingly realize the value of strong cybersecurity, those CIOs who successfully implement an effective cybersecurity system should be viewed as a critical part of the revenue generation effort. An effective CIO who maintains a robust cyber risk management program will not only help ensure efficient operations, but will also play a role in crossing cybersecurity thresholds established by customers that would otherwise serve as a barrier to entry.

    Client Alert
    European “Cookie Sweep” Initiative – 15 - 19 September 2014 – Is Your Website Ready?
    Authors: Rafi Azim-Khan, Steven P. Farmer

    The European data protection authorities will be conducting a “cookie sweep” later this month, carrying out random spot checks on websites to assess for compliance with EU “cookie” laws. Businesses should therefore be checking their websites and cookie notices now to ensure they are compliant and fix any issues. Even if you are a non-EU (e.g. US) company it may catch you.

    Client Alert
    New Threat to “Bring Your Own Device” Policies: Employer Required to Reimburse Personal Cell Phone Expenses
    Authors: Thomas N. Makris, Paula M. Weber, Erica N. Turcios

    In a far-reaching decision, the California Second District Court of Appeal held in Cochran v. Schwan’s Home Serv., Inc., Cal. Ct. App. No. B247160, (August 12, 2014) that California Labor Code section 2802 requires employers always to reimburse employees who are required to use personal cell phones for work-related calls for a reasonable percentage of their cell phone bills, even when employees have cell phone plans with unlimited minutes or the plans are paid for by third parties.

    Bylined Article
    Online privacy concerns only increasing
    Source: The Daily Journal
    Authors: Kimberly Buffington, Carolyn S. Toto

    As the use of the Internet has expanded to permeate every aspect of our lives, so have myriad legal issues. Te rapid pace of change has challenged the law in catching up in areas like online privacy. The amount of information being exchanged on the Internet is mind-boggling, and—because so much information can be gleaned from individuals by what they do (often unknowingly)—privacy has become a big concern.

    Bylined Article
    A Needed Review
    Source: The Huffington Post

    This article was originally published on The Huffington Post on August 26, 2014.

    As previously hinted at, President Obama has ordered a review of a Defense Department program that distributes surplus military equipment to state and local law enforcement agencies. This review, triggered by the civil disturbances in Missouri, will examine not only whether the equipment distribution was appropriation, but also whether proper training and oversight has concurrently been administered. In all likelihood, the review will expand to examine whether other federal programs, including the $2 to $3 billion in grants handed out annually by the Department of Homeland Security, have resulted in an “over-militarization” of police departments across the country.

    Bylined Article
    What Do I Need to Know and When Do I Need to Know It?
    This article was originally published in the Huffington Post on August 14, 2014.
    Author: Brian E. Finch
    Another day, another big hack discovered. According to reports from the New York Times, the Wall Street Journal, and numerous other publications, a small group of cyber criminals based out of Russia were apparently able to collect around 1.2 billion usernames and passwords from more than 400,000 websites globally. The company that identified the hack, Hold Security, estimates that this hack is impacts more than 500 million people. Think about it: nearly one in ten people worldwide were apparently impacted by this attack. If true, wow.

    Bylined Article
    There Oughta Be A Law (Well, Maybe)
    Author: Brian E. Finch

    This article was originally published on on July 30, 2014.

    Bylined Article
    Using Words To Battle Cyber Losses
    This article was originally published in the Wall Street Journal: CIO Journal on June 23, 2014.
    Author: Brian E. Finch
    Words matter when it comes to cybersecurity.

    Client Alert
    No Harm, No Foul – Appellate Court Finds No CMIA Claim Without Actual Injury
    Authors: Joseph R. Tiffany, Connie J. Wolfe, Ph.D., Allen Briskin

    California’s Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq. (“CMIA”), provides that an individual may recover $1,000 nominal damages (plus actual damages if any) based on the negligent release of medical information by a health care provider or other covered party. A California appellate court recently held that a health provider cannot be held liable for negligent release based on theft of medical records unless the plaintiff can establish that those records were actually viewed by an unauthorized person.

    Client Alert
    House of Representatives Passes SAFETY Act Amendment
    Clarifies that liability protections are available for cyber attacks
    Author: Brian E. Finch

    The U.S. House of Representatives took a major positive step towards increasing the nation’s cyber security posture today when, on a voice vote, it passed H.R. 3696, the “National Cybersecurity and Critical Infrastructure Protection Act.”

    Bylined Article
    The Admiral Sets A Good Course
    This article was originally published on The Huffington Post on June 20, 2014.
    Authors: Brian E. Finch
    Admiral Mike Rogers, the new leader of the National Security Agency and Cyber Command at the Defense Department, certainly has taken a different approach from his predecessor, General Keith Alexander. Right out of the gate, Admiral Rogers noted that the NSA had a public image issue and that it had lost some of its credibility with the American public.

    California Court Limits Liability for Loss of Certain Patient Information under CMIA
    Authors: Joseph R. Tiffany, Connie J. Wolfe, Ph.D., Allen Briskin

    California appellate courts are clarifying potential liability under California’s Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq. (“CMIA”) of health care providers, health plans, pharmaceutical companies and others for the unauthorized disclosure of medical information. The CMIA provides that an individual may recover $1,000 nominal damages (plus actual damages if any) from a health care provider or other covered party that negligently releases that individual’s medical information. In data breaches involving large numbers of records and individuals, the potential liability can be enormous even without proof of any damages.

    Bylined Article
    Rethinking Cyber Defense
    Source: Fox
    Authors: Brian E. Finch

    This article was originally published on Fox on June 20, 2014.

    Client Alert
    California AG Issues New Privacy Policy and “Do Not Track” Compliance Guidelines, Announces Proactive Enforcement
    Authors: Andrew D. Lanphere, Catherine D. Meyer, Roxane A. Polidora, Jacob R. Sorensen

    The California Attorney General recently released a series of guidelines to assist with compliance with the California Online Privacy Protection Act of 2003 (CalOPPA), which was amended to require new data collection and Do Not Track disclosures. These guidelines offer assistance regarding the form and content of operators’ privacy policies. The AG has stated she will actively enforce operators’ compliance with CalOPPA, including through litigation. Operators of websites and online services that are used or visited by California residents should ensure as soon as possible that their privacy policies comply with the AG’s guidelines.

    Bylined Article
    Circles and the Internet of Things
    Source: Fox Business
    Author: Brian E. Finch

    This article was originally published on Fox Business on June 5, 2014.

    Growing up, the sacred text in our house was Consumer Reports, a/k/a “Consumers”. Nary a television, home appliance, or automobile could be purchased without consulting the infallible guide to what was worth some hard earned dollars.

    Bylined Article
    The World Needs a 21st-Century Arsenal of Democracy
    Source: Fox Business
    Author: Brian E. Finch

    This article was originally published on Fox Business on May 15, 2014.

    Poland, Estonia, Latvia, and Lithuania cannot look back with much comfort on the promise of Western assistance in the face of military aggression.

    Client Alert
    New Canadian Anti-Spam Rules to Take Effect July 1, 2014
    Authors: Catherine D. Meyer, Deborah S. Thoren-Peden, Michael P. Heuga, Amy L. Pierce

    Businesses that use “commercial electronic messages” to market to customers and prospective customers in Canada should be aware of Canada’s new anti-spam rules, which require, among other things, the sender to obtain consent from the recipient before sending the message and the message itself to identify the sender and provide instructions enabling the recipient of the message to withdraw consent to receive such messages.

    Bylined Article
    Banding Together for Cyber Defense
    Source: Wall Street Journal's CIO Journal
    Author: Brian E. Finch

    This artcle was originally published in the Wall Street Journal’s CIO Journal on May 8, 2014.

    When discussing how companies can cooperate on cyber security, talk often revolves around information sharing. Yet while there’s value in the notion that companies and governments could freely share important threat data such as malware signatures and indicators of compromise, it’s not the last word on cooperative cyber defense. Opportunities exist now for CIOs to band together with other internal executives and similarly situated companies in the form of risk-pooling mechanisms to increase their defenses and better mitigate risk.

    Client Alert
    FTC Expands Focus on Tracking and Use of Consumers’ Location Data
    In-store monitoring of shoppers’ mobile devices under scrutiny.
    Authors: Roxane A. Polidora, Catherine D. Meyer, Lindsay A. Lutz, Kristen E. Baker

    Over the past few years, the Federal Trade Commission (“FTC”) has provided guidance regarding mobile platforms and app providers’ practices of collecting data about consumers’ locations through their mobile devices, with a focus on transparency and notice to consumers. The FTC recently hosted a spring seminar on emerging consumer privacy issues that focused on a new type of mobile device tracking: brick-and-mortar businesses tracking consumer movements in or around their premises using signals from the consumer’s mobile device.

    Client Alert
    Class Certification Properly Denied Where Individual Questions Predominated Under California’s Telephone Recording Statutes
    Authors: Brian D. Martin, Roxane A. Polidora, Richard M. Segal, Andrew D. Bluth

    The California Court of Appeal unanimously affirmed a trial court ruling denying class certification in a lawsuit filed under California’s Invasion of Privacy Act. The Court held that the determination of whether each potential class member had a reasonable expectation that his or her phone conversations would not be recorded would require too many individual fact inquiries to be treated on a class basis.

    Bylined Article
    Remain Vigilant: Managing Cybersecurity Risks in Third-Party Outsourcing Relationships
    Source: Corporate Compliance Insights
    Authors: Meighan E. O'Reardon, Aaron M. Oser

    This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insights.

    Bylined Article
    February 2014
    Personal Data Transfers from the European Economic Area: Binding Corporate Rules Emerge as Increasingly Attractive Option
    Source: World Data Protection Report (Bloomberg BNA)
    Authors: Rafi Azim-Khan, Steven P. Farmer

    This article was originally published in the February 2014, Volume 14, Number 3 issue of Bloomberg BNA's World Data Protection Report.

    National Cybersecurity Framework Released – Has Your Organization Considered the Implications?
    Authors: Catherine D. Meyer, Meighan E. O'Reardon, Deborah S. Thoren-Peden, Amy L. Pierce

    On February 12, 2014, the National Institute of Standards and Technology (“NIST”) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework” or “Framework”) and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap”). The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.

    Bylined Article
    November 2013
    U.K. Court of Appeal’s Award of Compensation for Distress to an Individual Following a Breach of the Data Protection Act: Opening the Floodgates for Claims by Individuals?
    Source: World Data Protection Report
    Authors: Steven P. Farmer

    This article was published in World Data Protection Report, November 2013, published by Bloomberg BNA (

    Client Alert
    California Internet Privacy Bill Signed by Governor, Effective Jan. 1
    Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Amy L. Pierce, Elsa S. Broeker

    On Friday, September 27, 2013, California Governor Edmund G. Brown signed Assembly Bill 370, a bill that amends the Business & Professions Code § 22575 to require an operator of a commercial Internet website or online service that collects personally identifiable information about consumers residing in California who use or visit its website or service to disclose how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of PII about the consumer’s online activities, and to disclose whether others may collect PII when a consumer uses the operator’s website or online service.

    Bylined Article
    Help Clients Insure Against Cyberattacks
    Source: Texas Lawyer
    Authors: Vincent E. Morgan

    This article was originally published in the July 22, 2013 issue of Texas Lawyer.

    Bylined Article
    June 2013
    Mobile Privacy Practices: Recent California Developments Indicate What's to Come
    Source: Computer Law Review International
    Authors: James Chang, James G. Gatto, Meighan E. O'Reardon

    This article was originally published in the June 2013 issue of Computer Law Review International (CRi).

    Bylined Article
    April 2013
    Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0
    Source: World Data Protection Report
    Authors: Rafi Azim-Khan, Steven P. Farmer

    What exactly is the ‘"best" solution for an international business needing to handle and transfer personal data across borders?

    Protecting Personal Data in China
    Authors: Woon-Wah Siu, Julian Zou

    This advisory is one of a series prepared by Pillsbury's China Practice on questions frequently asked by our clients doing business in China. In June 2012, we published an advisory on personal data protection in China in which we also suggested some best practices. Here, we are updating that advisory to reflect new regulations adopted in the past six months.

    Client Alert
    Omnibus Final Rule Issued on HIPAA/ HITECH Act: Significant Changes for ‘Business Associates’
    Authors: Gerry Hinkley, Allen Briskin, Caitlin Bloom Stulberg

    On January 25, 2013, the Department of Health and Human Services published the much-anticipated Omnibus Final Rule (the “Final Rule”), which, with respect to business associates and their subcontractors, conforms HIPAA’s Privacy and Security Rules to a number of changes brought about by the HITECH Act, implements a number of regulatory changes seen in HHS’s proposed rule-making, and modifies a number of other proposed regulatory changes.

    Client Alert
    New Binding Corporate Rules Now Available for Data Processors
    Authors: Steven P. Farmer, Meighan E. O'Reardon, Simon J. Lightman
    In a further push towards “privacy by design,” the Article 29 Working Party, which is made up of representatives from the various EU data protection authorities, has recently approved the use of Binding Corporate Rules (“BCRs”) for international transfers of personal data by data processors effective as of January 1, 2013.

    Bylined Article
    January 2013
    European Parliament Rapporteur Albrecht Proposes Key Amendments to the Commission’s Draft Data Protection Regulation
    Source: Bloomberg BNA
    Authors: Steven P. Farmer

    In December 2012, Jan Philipp Albrecht, a Rapporteur for the European Parliament, released a draft report (the ‘‘Report’’) on the European Commission’s proposed EU Data Protection Regulation (the ‘‘Draft Regulation’’), which is intended to replace the existing legislative framework that has been in place in the European Union since 1995 (see analysis at WDPR, February 2012, page 4).

    Bylined Article
    October 2012
    A "Perfect Storm" of Data Law Changes; Are You Ready for a 2% of Global Turnover Fine?
    Authors: Rafi Azim-Khan

    Recent months and the EU January announcement have seen very major data protection law changes that affect not just UK or EU companies but any companies (particularly US) which are deemed to be caught by “processing” EU data.

    Client Alert
    Drawing the Line Online: Employers’ Rights to Employees’ Social Media Accounts
    Authors: James G. Gatto, Julia E. Judish, Thomas N. Makris, Amy L. Pierce
    With the unprecedented popularity of social media, employees have increasingly used LinkedIn and other online forums to network for business and social purposes. When the line between personal and business use is blurred, litigation may ensue. A federal court recently ruled that an employer did not violate federal computer hacking laws by accessing and altering its recently departed CEO’s LinkedIn account, but that the former CEO could proceed to trial on her state law misappropriation claim. In addition, California, Illinois, and Massachusetts recently joined Maryland in enacting laws prohibiting the practice of requesting access to prospective employees’ password-protected social media accounts.
    Client Alert
    Recently Enacted Legislation of Interest to California Employers
    Authors: Thomas N. Makris, Ellen Connelly Cohen

    September 30 was the last day for California Governor Edmund G. Brown, Jr. to sign or veto bills passed by the State Legislature during its 2011-2012 Regular Session. Governor Brown signed several bills of interest to California employers, including an overhaul of the Workers’ Compensation system, elimination of the Fair Employment and Housing Commission, new laws requiring accommodation of employees’ religious dress and grooming practices, restrictions on access to employees’ social media accounts, expanded state law protections for whistleblowers, and new rules governing employees’ rights to inspect their personnel files.

    Bylined Article
    How to Buy Cyberinsurance
    Authors: David L. Beck, Rene L. Siemens

    Exposure to network and data security breaches has grown exponentially in recent years, and the market for insurance to cover this risk has grown just as fast. With policies sold under names like "cyberinsurance," "privacy breach insurance" and "network security insurance,” the market for this coverage often seems chaotic, with premiums and terms varying dramatically from one insurer to the next. So before buying or renewing a cyberinsurance policy, it is crucial to understand what you are being offered and how to bargain for what you need.

    Client Alert
    Employ Me, Don’t Friend Me: Privacy in the Age of Facebook
    Authors: James G. Gatto, Julia E. Judish, Amy L. Pierce, Meighan E. O'Reardon

    With the unprecedented popularity of social media, individuals have increasingly been willing accomplices in undermining their own privacy. Few would have predicted that millions of people would voluntarily log onto the Internet and share detailed private information about themselves, their friends, family and employers. Users of social media have implemented varying privacy safeguards from unrestricted blogs to Facebook posts limited to a customized list of friends. Even those who seek privacy, however, must contend with a growing practice by employers and others of requesting access to password-protected social media accounts. Social media users have lost jobs and educational opportunities as a result of the increased scrutiny of these private postings. Maryland recently became the first state to enact a law prohibiting this practice; several other states and the U.S. Senate and House have similar legislation under review.

    China Business Series: Personal Data Protection
    Authors: Woon-Wah Siu, Qiaozhu Chen
    Foreign companies doing business in China should consider adopting safeguards to protect employee personal data to reduce the risk of unauthorized disclosure or claims of infringement of privacy.

    Bylined Article
    I Know What You Watched Last Summer
    Source: Law360
    Authors: Christine A. Scheuneman, Catherine D. Meyer, Lauren Lynch Flick, Amy L. Pierce, Jennifer So

    This Client Alert was republished in Law360 on May 11, 2012.

    The Northern District of California continues the series begun by the Seventh Circuit in Sterk v. Redbox Automated Retail LLC, against class actions brought under the federal Video Privacy Protection Act and seeking lucrative liquidated damages simply because a "video tape service provider" retains records of customers' video purchases and rentals past the one-year cut-off.

    Client Alert
    U.S. Supreme Court Limits the Scope of "Actual Damages" in the Federal Privacy Act
    Authors: Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce, Jennifer So
    In its March 28 decision in Federal Aviation Administration v. Cooper, the U.S. Supreme Court interpreted the federal Privacy Act of 1974 and held that the term "actual damages," as used in the Act, does not include damages for mental or emotional distress. Because of its chameleon-like quality, the meaning of the term "actual damages" was considered in the particular context in which it appeared. The Court then found that, because Congress declined to authorize general damages for a violation of the Act, it was reasonable to infer that it intended "actual damages" to mean special damages for proven pecuniary loss.

    Client Alert
    California Court OKs Collecting Consumer ZIP Codes to Combat Credit Card Fraud
    Authors: Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce, Jennifer So

    Just over a year after it was filed, Chevron Corporation and other oil companies won dismissal of a putative privacy class action filed after the California Supreme Court's decision in Pineda v. Williams-Sonoma Stores, Inc. The complaint alleged that oil companies collecting consumers' ZIP codes at the gas pump violated California's Song-Beverly Credit Card Act. The Los Angeles Superior Court disagreed, deeming the plaintiff's argument that the Act applies to the oil companies' fraud prevention efforts "absurd." The gas pump case had already inspired a new California law permitting anti-fraud ZIP code collection.

    Client Alert
    Avoid Being in the Spotlight of California's 'Shine the Light' Privacy-Related Law
    Authors: Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce, Jennifer So
    Eight years after California's "Shine the Light" privacy-related law (S.B. 27) went into effect, five putative class actions alleging violations of Civil Code Section 1798.83 have been filed. The law regulates businesses that disclose customers' personal information to third parties for direct marketing purposes, requiring that customers be informed of the disclosures. Each violation can mean a $3,000 civil penalty.

    Client Alert
    "Perfect Storm" of EU Data Law Changes; New 2% of Global Revenue Fine Announced. Are you Ready?
    Authors: Rafi Azim-Khan
    The EU proposals announced a few days ago are just the latest developments over recent months which have seen major data protection law changes come into force that affect not just UK or EU companies but any company, particularly US, deemed to be caught "processing" EU data. New fines increasing penalties from £5,000 to £500,000 per offence, implementation of the E-Privacy Directive (and new restrictions on cookie use, tracking and customer profiling), a newly appointed enforcer in the UK, new website policing for the first time and so on have all helped focus attention on what has been for many a hitherto "bothersome" or "dull" compliance topic.

    Client Alert
    Third Circuit Finds No Willful Violation of FACTA for Printing Partial Expiration Date
    Authors: Christine A. Scheuneman, Brian D. Martin, Amy L. Pierce, Nathaniel R. Smith

    The Third Circuit confirmed that, while the merchant’s printing of a partial credit card expiration date on the customer’s receipt violated the Fair and Accurate Credit Transactions Act, the merchant’s interpretation of Section 1681c(g)(1) of FACTA had been objectively reasonable. The court also recognized that "[t]hese are issues of first impression among the federal courts of appeals."

    Client Alert
    Doing Business in Europe? Social Media Prosecution in Germany Flags Data Consent Problem for All Businesses
    Authors: Rafi Azim-Khan, Steven P. Farmer
    Do you transfer personal data from Europe to the US? Do you use cookies on a website which is aimed at European customers? Do you send marketing emails to Europe? Do you otherwise "process" data in Europe? Do you really have consent to process personal data? If any of these questions strike a chord with you, then you should certainly note recent trends in the EU regarding the concept of "consent," not least the news from Germany that Facebook is to be prosecuted (and potentially fined up to $400,000) over its facial recognition software feature and for failure to properly obtain consents.

    Employee Data Privacy—An Overview of Employer Responsibilities
    Source: also found in Perspectives: An Executive Compensation, Benefits & Human Resources Law Update - Fall 2011 | Volume 2, Edition 3
    Authors: Scott E. Landau, Bradley A. Benedict
    Employers collect a substantial amount of personal information about their employees. Companies need to be aware of their obligations under the profusion of data protection laws and regulations that govern the collection, use and transfer of personal information. This is an especially daunting task for companies that have operations subject to the laws of multiple jurisdictions, as requirements vary widely from country to country and even from state to state. This Advisory summarizes some basic concepts to consider under current data privacy laws that relate to human resources matters.

    Client Alert
    Carded at the Virtual Door: Distilled Spirits Face New Digital Marketing Guidelines
    Authors: Robert B. Burlingame
    On September 30, 2011, a new set of digital marketing guidelines went into effect for distilled spirits companies in the United States and Europe.

    Client Alert
    Retailers Recording ZIP Codes: Class Action Fuel in California, Uncertainty In New Jersey
    Authors: Deborah S. Thoren-Peden, Catherine D. Meyer, Christine A. Scheuneman, Fusae Nara, Amy L. Pierce
    Within weeks of each other, New Jersey Superior Court Judge Hansbury and U.S. District Court Judge Walls—each ruling on a motion to dismiss a claim brought under New Jersey's Truth in Consumer Contract, Warranty and Notice Act—disagreed about whether such a claim may be premised on an alleged violation of New Jersey's privacy law, N.J.S.A. 56:11-17. Whether New Jersey will follow California, interpreting "personal identification information" to include a ZIP code, remains to be seen.

    Craigslist Defeats Claim that Song-Beverly Credit Card Act Governs Online Transactions
    Authors: Deborah S. Thoren-Peden, Christine A. Scheuneman, Catherine D. Meyer, Amy L. Pierce

    San Francisco Superior Court sustains craigslist, Inc.’s demurrer to plaintiff Norman Gonor’s class action alleging violations of California’s Song-Beverly Credit Card Act in connection with online transactions involving credit cards.

    2011 Crisis Management Survey
    A new survey conducted by Pillsbury Winthrop Shaw Pittman's Crisis Management Team and Levick Strategic Communications found that though 60 percent of survey respondents said their companies have a crisis plan in place, just 29 percent felt very confident their organization would respond effectively if a crisis occurred. Another 56 percent said they felt somewhat confident.

    Client Alert
    FCC Forum to Focus on Privacy Issues With Location-Based Services, Cell Phone Tracking
    Authors: Lauren Lynch Flick, John L. Nicholson
    A unique interagency initiative with the FTC will bring together experts in both the technical aspects of location-based services and the privacy concerns raised by LBS on June 28, 2011. Interested parties may file comments to be incorporated in a staff report to the Commission until July 8.

    Pillsbury Pillsbury Pillsbury