HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Thanks to Elizabeth Khalil in the Hogan & Hartson privacy group for providing this report.

On April 19, 2010, the U.S. Supreme Court heard oral arguments in the case of City of Ontario v. Quon, a Fourth Amendment privacy case on appeal from the Ninth Circuit.

The argument centered primarily on the first of three questions presented in the case:  whether a police officer had a reasonable expectation of privacy in text messages transmitted on his official police department pager given the circumstances.  Specifically, his employer, the city government, had articulated a general policy stating that employees should have no expectation of privacy in their e-mail and Internet usage on official systems.  However, Quon understood the police department to have an informal policy that it would not read the personal text messages of officers who paid for additional text message volume on their pagers to allow for personal use.  The officer in question, Jeff Quon, was a SWAT team member who paid for such personal use of his official pager, from which he sent personal messages to his wife, girlfriend and others.  Department officials accessed Quon’s messages as part of an audit.  In the course of reviewing the volume of the messages, obtained from the city's wireless provider, they came across the personal (and, at times, sexually explicit) content of the messages Quon sent.

At oral argument, Chief Justice John Roberts seemed somewhat sympathetic to the notion that the department had given Quon the impression that as long as he paid for personal use of his pager, “it would be reasonable for him to assume that private messages were his business.”  Overall, however, the Court appeared skeptical of Quon’s claims.

There were two other questions presented in the case that were not the focus of oral argument:  whether the Ninth Circuit contravened the Supreme Court’s Fourth Amendment precedents and created a circuit conflict by analyzing whether the police could have used less intrusive methods of reviewing the text messages, and whether individuals who send messages to a police officer’s pager have a reasonable expectation that their messages will not be reviewed by the recipient’s government employer.  

The justices also touched upon what, if any, bearing statutes such as the Stored Communications Act (SCA) should have on the Fourth Amendment's concept of reasonable expectation of privacy, although the SCA was not an issue before the Court.  It was, however, a subject of Quon’s suit at the district court and appeals court level, where he had named the wireless provider as a defendant.  In Quon v. Arch Wireless, the Ninth Circuit held that Arch Wireless had violated the SCA when it provided the text transcripts to the police department. T he actions of Arch Wireless were not at issue in the Supreme Court appeal.

• Email This
• Print

The U.S. Department of Health and Human Services (“HHS”) published its regulatory agenda (“Agenda”) in today’s Federal Register.  The Agenda presents a forecast of expected HHS rulemaking activities and suggests that in May of this year HHS will issue proposed rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of HITECH. The Department is also scheduled to issue a final rule in May of this year, addressing the certification standards and implementation criteria for electronic health record technology.

• Email This
• Print

In an April 16, 2010 judgment, the High Court of Ireland decided that a settlement agreement entered into between Ireland's largest ISP Eircom and EMI, Sony Music, Universal Music, and Warner Music did not violate Ireland's data protection law.  The settlement agreement was signed after the record labels sued Eircom in connection with Eircom's failure to take action to discourage peer-to-peer copyright infringements on its network.  In the settlement, Eircom agreed to implement a graduated response mechanism with its customers, pursuant to which Eircom would send warnings to customers who had been detected as participating in unauthorized file sharing.  If the customers ignored Eircom's warnings, Eircom would cut off the subscriber's Internet access.  This sanction would be applied on a purely contractual basis, based on the subscriber's violation of Eircom's terms of use.  The subscribers' identity would never be shared with the record companies or with the police.  The detection of illegal file sharing would be conducted by a third party service provider, DetectNet, which would collect IP addresses and communicate them to Eircom.  

The Irish data protection authority believed that the settlement would violate Irish data protection laws.  The court was asked to answer three questions:

Whether the IP addresses collected by DetectNet are personal data before they are transferred to Eircom?

Whether Eircom's processing of personal data for implementation of the graduated response mechanism is legitimate?

Whether the personal data processed by Eircom are "sensitive" because they relate to a criminal offense.

For the first question, the court held that the IP addresses in the hands of DetectNet are not personal data because it is not "likely" that DetectNet would have the means or motivation to find out the names or addresses of the persons corresponding to the IP addresses.  The court said that the word "likely" as used in the Irish law means "probably."  

For the second question, the court found that the processing is justified because of the subscriber's consent to Eircom's terms of use, and also because the processing is necessary for the performance of a contract and for compliance with a legal obligation.  

For the third question, the court held that the graduated response mechanism deals solely with civil infringement, and not with alleged criminal infringement.  Alleged criminal infringement involves an intentional element that is absent from the mechanism implemented by Eircom.

On the IP address issue, I invite readers to look back at the Article 29 Working Party's opinion on the concept of personal data, particularly page 15.

Regarding "graduated response" in general I invite readers to review a previous update on the French Consitutional Court decision, and to Gerry Oberst's blog entry on Internet Freedom and Data Privacy.  

The Irish decision is creating controversy, particularly as European Member States are debating net neutrality and the proposed ACTA treaty.

• Email This
• Print

Thanks to Elizabeth Khalil in the Hogan & Hartson privacy group for providing this report:

April 15 marked the release of the long-awaited customizable version of the Model Privacy Notice, a form that provides a safe harbor for compliance with the notice requirements of the Gramm-Leach-Bliley Act (GLBA).

The GLBA statute and the privacy rules issued thereunder by the above agencies impose obligations on “financial institutions” with regard to “nonpublic personal information.” Institutions subject to GLBA are required to provide initial and annual notices regarding their privacy policies to customers, and must allow their customers to opt out of having their nonpublic personal information shared in certain ways. Financial institutions are also required to provide the notice and opt-out opportunity to “consumers” who are not their customers before sharing their nonpublic personal information.

The customizable form, called the Online Form Builder, was issued jointly by the Board of Governors of the Federal Reserve System (FRB), Commodity Futures Trading Commission (CFTC), Federal Deposit Insurance Corporation (FDIC), Federal Trade Commission (FTC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Securities and Exchange Commission (SEC). The agencies had first issued the Model Privacy Notice regulation on November 17, 2009, culminating a rulemaking process initiated more than six years earlier.  However, until April 15, no fillable PDF or other customizable version of the Model Privacy Notice was available. The Online Form Builder was developed by the FRB and is available on the FRB’s website.

The Online Form Builder allows a user to choose the version of the Model Privacy Notice that fits its particular information collection and sharing practices. To obtain the safe harbor, institutions must follow the instructions in the Model Privacy Notice regulation when using the Online Form Builder.

• Email This
• Print

The privacy and data security enforcement agenda at the Federal Trade Commission is evolving. Consent decrees are imposing stricter and more specific standards on business with respect to the collection, usage, storage, sharing and disposal of personal information. Recent changes in leadership at the FTC, and public statements from the FTC Chairman and the Director of the Bureau of Consumer Protection, suggest more aggressive privacy and data security enforcement in the coming years. And the entire paradigm of privacy protection, including its foundation of notice and choice, is under reexamination after a series of FTC Roundtables conducted in later-2009 and early-2010.

For businesses under the jurisdiction of the FTC, the impact of this evolving enforcement agenda is significant. Greater attention than ever must be paid to the issue of notice and choice, as well as to the physical, technical and administrative safeguards provided for personal information, to ensure that specific statutory standards enforced by the FTC are met and that the general consumer protection standard of Section 5 is also satisfied.

Historically, enforcement actions by the Commission under Section 5 of the FTC Act focused on businesses that failed to adhere to promises they made about privacy and data security. In many of these cases, the FTC determined that a business’s failure to adhere to their own policies and promises constituted an unfair business practice. In the middle of the last decade, however, the enforcement focus at the FTC began to change. Rather than concentrating enforcement activities exclusively on businesses that failed to adhere to their own promises, the Commission began to look more at whether a business’s actual privacy and data security practices were reasonable.

The many reports of data security breaches required under state laws gave the FTC several new enforcement targets – businesses whose lax data security led to breaches that had to be reported publicly. In these cases, unreasonably lax practices led to a complaint of unfairness under Section 5. Also noteworthy about this phase of FTC enforcement was that nearly all of these cases involved instances in which privacy and security failures resulted in substantial consumer harm. In recent years FTC enforcement has become more “granular,” in the sense that the FTC enforcement staff examines specific details of respondents’ privacy practices and information security measures when assessing “reasonableness.”

By clicking on this link, you will be taken to a 45-minute multimedia presentation on the new directions in enforcement at the FTC, with in-depth cases analysis, including the recent Dave & Busters consent decree involving the absence of filters for outgoing data to protect against the loss of personal data. 

• Email This
• Print

Hogan & Hartson privacy attorneys, including Chris Wolf, will be participating in the Chubb Social Media Risk Innovation Event, hosted from April 26-29 by the Chubb Group of Insurance Companies and its technology partner, Imaginatik.  The event is an online, interactive session with risk managers, other business professionals, agents, and brokers in which pariticipants will collectively identify risks and potential mitigation strategies regarding the use and potential misuse of social media.  Hogan & Hartson attorneys will be on hand throughout the event to facilitate the discussion and contribute expertise regarding legal risks businesses face from sanctioned and unsanctioned corporate and employee use of social media.

Demonstrating the power of social media, musician Dave Carroll posted a video seen by millions of people on YouTube chastising an airline he accused of breaking his guitar. View an invitation from Dave to Chubb's Social Media Risk Innovation Event.

You may self-register on-line at https://chubbsocialmedia.imaginatik.com. The first 500 people to register will receive a free download of "Perfect Blue," Dave's new album.

Once registered, you may participate in this online event either remotely via your PC, laptop, smartphone, (e.g., BlackBerry, iPhone, etc.) or at Chubb booth #1511 at the RIMS Conference in Boston, MA. We also welcome you to invite clients you believe would be interested in participating in this event by forwarding this email and its self-registration link.

Chubb will award prizes to participants who submit the most ideas and whose ideas generate the greatest amount of collaboration. The prizes include cash donations to charities, ranging from $500 to $2,000, in the names of the top three scoring participants.

• Email This
• Print

On March 30, the New Jersey Supreme Court issued its opinion in Stengart v. Loving Care Agency, Inc., in which it unanimously held that the attorney-client privilege applied to e-mails sent by an employee using a personal, web-based e-mail account to her personal attorney on an employer-provided laptop, even though the employer had a general policy stating that the employee should have no reasonable expectation of privacy in the communications sent over company equipment.

The plaintiff, a nursing manager at Loving Care, was preparing for employment discrimination litigation against her employer when she sent e-mails to her attorney about the case using a personal, password-protected, web-based e-mail account from Yahoo from her employer-issued laptop.  In anticipation of discovery, Loving Care hired a computer forensic expert to recover all files stored on the laptop, and the expert turned up copies of some of the e-mails that, unbeknownst to the plaintiff, her web browser had automatically saved to the computer's hard drive.  Loving Care's attorneys reviewed the e-mails and used information from them during discovery, which was revealed to the plaintiff's attorney later in the case, who then sought to have them returned under the attorney-client privilege.

Loving Care argued that its electronic communications policy, which allowed employees incidental personal use of its computer systems but reserved the right to "review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time, with or without notice," eliminated any expectation of privacy the plaintiff might have had in the e-mails stored on the computer.  Nevertheless, the court found that the plaintiff had a reasonable expectation of privacy for three reasons:

1. The plaintiff had a subjective expectation of privacy due to the fact that she used a personal, and not the company, e-mail account to send the messages to her attorney, and did not store her password on the computer.
2. The plaintiff's expectation of privacy was objectively reasonable, given that her employer's policy did not address the use of private web-based e-mail accounts, even allowing incidental use of employer computers to send and receive personal e-mail.
3. Most importantly, the e-mails clearly were subject to the attorney-client privilege, and contained a standard warning that their contents were confidential and subject to the privilege.

The court went on to hold that, given the public policy concerns underlying the attorney-client privilege, "even a more clearly written company manual -- that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company' computer system -- would not be enforceable."  The court, however, noted that an employee could still be sanctioned under an employment policy for spending excessive time communicating with a personal attorney during the work day, though the employer should still not be able to access the content of the communication.

The court  zeroed in on the attorney-client-privileged nature of the e-mails, and the privilege played a large role in the final disposition of the case.  The court did not address whether Stengart would have had a reasonable expectation of privacy with respect to personal e-mail communications with a non-lawyer.  Nor did the court suggest that Stengart had a cause of action against her employer for an invasion of privacy, which would have required a showing that the e-mail review was "highly offensive to a reasonable person".  The issue was whether a discovered e-mail communication deserved protection under the attorney-client privilege.

While limited in jurisdictional breadth to New Jersey, Stengart is one of the first cases of its kind, and courts in other states could be tempted to follow it .  This could especially be the case as employee use of personal, web-based e-mail in the workplace becomes more common, with many employers relaxing their electronic communications policies to allow for "incidental" use of employee computer systems for personal reasons.

 Thus, the case suggests the following:

• Make clear in an acknowledged policy that employees have no expectation of privacy in their use of company computers, whether connected to the network or not, even where "incidental" personal use is allowed.
• Make clear in such a policy that employers retain the right to monitor employees' use of employer resources, including the sending and receiving of personal, web-based e-mail, and explain  that e-mails sent through a personal web-based e-mail account can end up being stored on company equipment and suject to review consistent with state law.
• Prohibit the use of company resources to communicate with a personal lawyer and advise employees that they can be disciplined for violations (and all violations of the electronic resources policy).  Companies are not required to allow employee use of company equipment to plan litigation against the company.
• For employers that permit "incidental" personal use of computer systems, emphasize that any use of company computers or electronic resources that rise above the level of "incidental" personal use and affect employee productivity can lead to sanctions under the policy, though this provision must be enforced uniformly and in a non-discriminatory manner.
• Instruct company employees who monitor electronic communications not to review personal attorney-client privileged communications but, rather, to bring such communications to the attention of in-house counsel to review in accordance with the applicable ethical rules regarding waiver.

While Stengart is noteworthy, it did nothing to fundamentally alter the well-established principle that employers retain the right to monitor employee use of company equipment and that they can , through a well-crafted policy, reduce employees' privacy expectations.

• Email This
• Print