Quiz 5 IST 452
Sources of Privacy Law
- Torts -Appropriation, private facts, intrusion, false light Property Rights -Information as property Protective Statutes & Regulations -Children, Financial, Workplace, Health, TeleCom Contract -NDAs, website policies, EULAs nConstitutional Rights
Sarver v. Experian Information Solutions
- experian provided wrong info about sarver and kept him from getting credit - sarver said they have info for a different person - experian said to send them SSN and other PII - sarver didn't sent anything and just sued instead - COURT ruled: experian could terminate a reinvestigation if the person didn't send info
Financial Privacy Laws
-Intent is to assure fairness in credit reports without unduly burdening the credit reporting system (Fair Credit Reporting Act & Fair and Accurate Credit Transactions Act-- amended) -Considerable financial PII has migrated onto computerized databases and may become accessible through telecommunications -Merger of financial institutions -- result in combination of each formerly separate firm's incomplete data into larger, comprehensive and more valuable financial PII databases -New financial privacy concerns have led to the passage of various state financial privacy laws and the federal privacy provisions of Gramm-Leach-Blilely Act (GLB) in 1999
VPPA is also known as the
Bork Bill bc of what happened to judge bork - a lot of people didn't like bork bc he was conservative and the media wanted to dig up bad stuff about him so they went to blockbuster to find video records
is the suitability of a prospective spouse a valid reason to get a credit report
NO
Amy lynn boyer was the only case where plaintiff was successful but it hasn't been followed
TRUE
In Re Jet Blue Airways was the first FTC case to challenge the company's change to privacy policy without consent
TRUE
person trying to give you credit can see your credit report
TRUE
there is an exception to the exception
a large transaction - you are accessing someone's credit report to give credit more than $150,000 or life insurance over that - the exception doesn't apply another report if the salary is more than $75,000 a year, you can access the credit report to the beginning of time
you can sue comcast but if the govt got info from costco in violation of CCPA you could sue government
but there is no exclusionary rule so you would sue from jail
•Phillips v. Grendahl (8th Cir. 2002)
finders report - abbreviated version of full credit report - grendahl was mom of someone that was going to marry phillips so she got a hold of finders report about phillip also found he had many children and other women and was sued for child support phillips finds out about finders report and sues grendahl
vermont, new mexico, california
have to opt out of GLB unless you are in one of these states
Smith v. Bob Smith Chevrolet, Inc. (W.D. Ky. 2003) cont
kentucky employee sold car to buyer named smith and the sales person thought he was related to the dealership smith so he gave buyer a family discount. so they accessed credit report about buyer after he had left to see how much more he could pay for the car - court said you only accessed it to see how much more buyer smith could pay but you can't access it down the road after a transaction has been done
CCPA is considered broad but
no exclusionary rule
legitimate business interest
one of the reasons you can get a credit report - opens it to allow too many people to get credit - need reasonable belief for transaction and open but smith had already paid and driven away there has to be a narrow scope for a legitimate business interest
special rule for employment purposes
sometimes employers use credit history to decide if they should hire someone but you have to disclose that you are doing it because it is for employment practices
federal law will permit the disclosure of info from a credit report, the breach of confidentiality tort will not apply
true
will be liable if they can't demonstrate they've used reasonable identification methods
true - identity theft
Relevant Case Law (Torts)
•ANALYSIS: •Intrusion Upon Seclusion entails four elements •Unauthorized intrusion •Offensive to reasonable person •Private matter •Cause injury: anguish & suffering •Ruling: plaintiffs did not satisfy first element -- no "unauthorized intrusion" •Cardholders provided data to AMEX voluntarily -- they chose to use the card •No disclosure of financial data; only used for ads •Appropriation: •Ruling: Name or likeness of individual not "appropriated"
Injury & Standing
•An overarching issue in privacy cases is whether the privacy violation caused any harm •Plaintiffs generally have to show an identifiable injury in order to bring a lawsuit •To have "standing" in federal courts, a plaintiff needs to demonstrate: 1. •An "injury in fact" that is (a) concrete and particularized, and (2) actual of imminent 2. •The injury is traceable to the actions of the defendant -- they did the bad thing 3. •It is likely that the injury will be redressed by a favorable court decision -- you can be compensated for it -- third mostly always satisfied
The Concept of Personally Identifiable Information (PII)
•Apple Inc. v. Superior Court (Cal. Sup. Ct. 2013) •П sued Δ under the provisions of the Song-Beverly Credit Card Act of 1971 •Apple required П to provide his address and telephone number as a condition of accepting his credit card as payment •The court distinguished the Pineda case •Decided that the provisions do not apply to online purchases in which the product is downloaded electronically -- its NOT face to face •Cited need to balance consumer privacy protection with anti-fraud protection purchase of electronic download - apple required the guy to provide address and phone number before they would accept the credit card so guy sued apple
Cable Communications Policy Act (CCPA)
•Applies to cable operators & service providers •Requires providers to inform subscriber of •nature and use of PII collected, types of disclosure anticipated and the period during which such information will be maintained •Provider may not use the cable system to collect or disclose any customer PII without prior written or electronic consent •Provider shall destroy PII if no longer necessary •Government may obtain PII with court order only if court finds: •clear and convincing evidence of criminal activity •subject afforded opportunity to appear and contest NO exclusionary rule - can sue but it will be from jail
Property & Contract Law Concepts cont
•Arguments against treating PII as "property" •Property rights are generally inadequate to protect privacy •Problems with "alienability" (resale) of PII rights -- are you reselling it once or a million times? do you get paid once or each time? •Consumers may want restrictions on widespread "resale" •Market may not be able to assign the proper value to PII rights •"power relationship"/bargaining position between individual consumer and large company inherently unfair •Counter-argument is that PII-transfer transactions are "voluntary" •But is this always true, in practical terms?
Self-Regulation
•Basic Premise: •Businesses will tailor their privacy practices to meet customers' or consumers' preferences and the "free market" will ultimately yield the optimum level of privacy •Companies that are viewed as misusing/abusing PII will be punished by consumers -- you will stop using the website •Fundamental Question: Are consumers concerned about giving their PII to commercial entities? •Most consumers appear willing to relinquish some privacy in order to obtain perceived benefits (access to web sites, etc.) -- chance to tell daily life to friends people say they are worried about privacy in surveys but they continue to give out information
Targeted Anti-Spam Legislation
•CAN-SPAM Act (continued) •Does not provide consumers with a private right of action, i.e. the right to recipients to sue spammers -- can't sue the spammer •ISPs can sue for injunction or damages •Enforcement •FTC proceedings •Criminal prosecutions •State attorney general actions to enjoin spammer •Private lawsuits brought by ISPs if you opt out and they still spam you, you can get FTC involved
Breach of Confidentiality Tort
•Common law recognizes tort for unauthorized disclosure of information provided in context of confidential relationship -Historically applied to physician-patient relationship •Some courts have applied this tort to disclosures by banks & financial institutions of their customers financial information -These courts stress the fiduciary relationship between bank & customer -Pennsylvania recognizes a "duty on a bank and its employees to keep a customer's bank account information confidential" as "an implied contractual duty under Pennsylvania common law" (McGuire v. Shubert, Pa. Super. 1998)
CAN-SPAM Act
•Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 •Highlights of CAN-SPAM •Permits e-mail advertising •Prohibits misleading headers and other practices that mask origin of e-mail ads •Recipients must be allowed to opt out of future mailings •E-mail ads may not be sent to recipients who opt out •E-mail ads must be identified as such •State antispam laws are generally preempted
Financial Privacy & Credit
•Credit Rating or Credit Score -A debtor's "good credit rating" is essential to get access to credit to finance a car, home or business -Debtor has ultimate responsibility for good credit through personal discipline -Small credit reporting agencies (credit bureaus) and a few huge financial information service firms (Equifax, TransUnion, Experian, TRW) sell creditworthiness reporting services to lenders, insurers and prospective employers -Credit histories are compiled from lender reports about the promptness and fullness of installment repayments on loans and credit cards -- credit cards live on people who forget to pay it off - but if its really bad you get worse credit
Enforcement in Financial PII Security
•Credit reporting agencies may be held liable for negligence if they do not establish and maintain reasonable procedures -Need to ensure the accuracy of reports and supply the reports only for legitimate purposes •FCRA provides for civil & criminal liability -Civil Liability: if willful violation, actual (and maybe punitive) damages + attorneys' fees; if negligent violation, actual damages + attorneys' fees -Criminal Liability: whoever knowingly and willfully obtains consumer information from a consumer reporting agency under false pretenses shall be fined, imprisoned for not more than two years, or both
Sarver v. Experian Information Solutions (7th Cir. 2004)
•Credit reporting agencies need to "follow reasonable procedures to assure maximum possible accuracy" in preparing credits reports & must reinvestigate items disputed by consumer -BUT... May terminate a reinvestigation if consumer fails to provide sufficient information regarding the dispute •Consumers must also show they suffered damage as a result of the inaccurate information
VPPA Case Law
•Daniel v. Cantell (6th Cir. 2004) •Police obtained Π's video records to support prosecution for sexual molestation (offered as evidence of modus operandi) •Court held that "defendants not associated with the video stores" were not proper parties in the lawsuit under the VPPA •VPPA only applies to "video tape service providers" •Court argued that N.J. court in the Dirkes case misread the clear language of the VPPA •Which view is more convincing? this one said cops couldn't violate VPPA
What Constitutes Negligence?
•Dennis v. BEH-1, LLC (9th Cir. 2008) -Credit agency report referred to civil judgment that had been dismissed -Agency refused to correct report, claiming information was accurate (third-party investigator did not understand the meaning of "request for dismissal") •Court held info was inaccurate and that consumer suffered actual damages -Losses included denial of credit, increased security deposits, "emotional distress"
VPPA Case Law
•Dirkes v. Borough of Runnemede (D.N.J. 1996) •Π (police officer) accused of taking porn videos from dead person's apartment •Acquitted at criminal trial, but fired from police force after police obtained records of pornographic video use from employee of video store (without warrant, court order, etc.) •Clear that video store would be liable under VPPA, but Π sued police (and municipality) •HOLDING: Court allows suit against police, interpreting VPPA to prevent unauthorized disclosures by anyone who comes into possession of private information in violation of the Act -- said intent of congress was broad dirkes was first officer on scene - he saw the porn and took it - dirkes was aquitted but the police force went to blockbuster and got his video records - he sued police and runnemede
Relevant Case Law (Torts)
•Dwyer v. American Express Co. (Ill. App. 1995) •FACTS: •AMEX rented spending habit profiles of cardholders •Profiles includes "behavioral characteristics" •Used to target shoppers for client stores & product lines •LEGAL ACTION: •Cardholders claimed invasion of privacy (specifically, intrusion upon seclusion and appropriation) and consumer fraud -- they have targeted ads for their different levels based on what you do - like flying all over the world for government job
Electronic Communications Privacy Act
•Dyer v. Northwest Airlines Corp. (2004) •NASA sought NW passenger flight data for airline security research •Court held that NW was not an "electronic communications service provider" and therefore not constrained by ECPA •But NW violated its own privacy policy to online users, customers •Q: would NWA have violated ECPA if it were an ISP?
Computer Fraud & Abuse Act: CFAA
•Enacted in 1986 and updated periodically •Codified at 18 U.S.C. 1030 •Provides for criminal and civil penalties for unauthorized access to computers •Focus on computer-related fraud & related activity •Applies to all "protected computers" •Defined as any computer used in interstate commerce or communication (i.e., just about every computer) •NOTE: no restriction to ISP's, as in SCA •CFAA creates seven distinct crimes •Broadest is: the intentional accessing of a computer without authorization and obtaining information from any protected computer
Fair Credit Reporting Act cont 2
•FCRA provides debtors with access to their credit histories on a limited basis, permitting them to correct mistakes in these reports •Credit reporting agencies: must verify accuracy of the information -If consumer disputes information in an agency's files, whether or not that information has yet been reported, the agency must reinvestigate -Consumer may provide own statement in dispute •FCRA requires credit agencies to exclude: -bankruptcies over 10 years old; lawsuits, judgments and arrests/indictments/convictions over 7 years old -- its 2021 so bankruptcy from 2009 isn't shown
Fair Credit Reporting Act (FCRA) cont
•FCRA regulates collection, permissible uses and disclosure of credit reports & information and information contained in it •In particular, it regulates how consumer reporting agencies use credit information •Restricts who has access to sensitive credit information and how that information can be used •Reports concerning transactions between the consumer and the reporter are not regulated -- focus of regulation is A is giving info to B about C •Also imposes requirements for accuracy and establishes dispute procedures
Federal Trade Commission Action FTC enforcement
•FTC enforcement •FTC view is that use or dissemination of PII in a manner contrary to a posted privacy policy is a "deceptive trade practice" prohibited under the FTC Act •deceptive practices are those that: •Cause substantial injury to consumers •Are not reasonably avoidable by consumers themselves •Are not outweighed by countervailing societal benefits •Drawbacks: only the FTC can enforce the Act (no private lawsuits); does not have jurisdiction over all companies & essentially can only compel companies to honor their promises
Pretexting
•Fraud & other illegal means to obtain PIFI from financial institutions, etc. •Graham-Leach-Bliley Act prohibits pretexting as "unfair and abusive" •prohibits "pretexting" to obtain consumers' personal financial information, such as bank balances •also prohibits the knowing solicitation of others to engage in pretexting •The FTC has been active in bringing cases to halt the operations of companies and individuals that allegedly practice pretexting and sell consumers' financial information
GLB & Financial Privacy cont
•GLB requires notice to customers that simply describes general categories of financial PII collected, disclosed and to whom disclosed. •GLB Privacy provisions apply only to "nonpublic personal (financial) information" -Financial PII may be shared freely and without any consent privilege among affiliated companies of the financial services firm, e.g., broker, bank, insurer controlled by the same holding company. - for nonaffiliated companies, may only share if customer is provided notice and offered ability to "opt out" of the disclosure -- USAA has insurance and the credit card people see that the person goes cliff jumping so USAA would have to pay a lot when they get hurt - so can they deny insurance because they found out your life expectancy is shorter? yes they can
Gramm-Leach-Bliley Act
•Gramm-Leach-Bliley Act (GLB- the Financial Services Modernization Act of 1999): intended to break down the separation between the three major sectors of financial services: commercial banking, investment banking and insurance •GLB repealed a New Deal-era law - the Glass-Steagall Act - permitting a form of universal banking prevalent in most other industrialized nations •GLB signaled an inevitable consolidation of financial service firms -- USAA - insurance, bank, credit card
Statutory Protections
•Growing number of federal statutes passed since the 1970s to deal with PII in databases and record systems •Large number of statutes, each narrowly tailored to particular types of businesses and services •Most statutes incorporate elements of the so-called "Fair Information Practices" that were later codified in the Privacy Act of 1974
Identity Theft Legislation
•Identity Theft Assumption and Deterrence Act -Makes I.D. theft a federal crime -"knowingly transfer or use" another's means of identification for unlawful purposes (broad definition) •Fair Credit Reporting Act & Fair and Accurate Credit Transactions Act -One-call fraud alerts & blocking data resulting from I.D. theft •State Statutory Law -Most states have I.D. theft statutes -Focus often on elaborating criminal penalties; usually based on amount of $ stolen
Relevant Case Law (Contracts) Re Jet Blue Airways Corp. Privacy Litigation
•In Re Jet Blue Airways Corp. Privacy Litigation (2005) •Jet Blue shared passenger records with the Government; passengers sued for breach of contract •Main point of claim was that customers relied on Jet Blue's promise not to disclose PII •Court differs from NW case in holding that privacy-related promises (even in a "general statement") could constitute a contract, even if not shown that plaintiffs read the privacy policy •BUT ... Court held that plaintiffs did not demonstrate damages -- only had a loss or privacy and that doesn't count
Relevant Case Law (Contracts)
•In Re Northwest Airlines Privacy Litigation (D. Minn. 2004) •FACTS: •NWA gave passenger PNRs to NASA, in violation of its own privacy policy •Π's sued, alleging violations of ECPA, FCRA, Minnesota state law, invasion of privacy, trespass to property (data) and breach of contract •ISSUE (Contract): •Is NWA's privacy policy a contract and, if so, did Π's suffer damage? -- said they wouldn't share passenger data and did they violate that? •HOLDING: •General statements of policy are not contractual and in any case Π's did not read policy & have not demonstrated losses -- said they suffered mental anguish and thats not good enough
Federal Trade Commission Action
•In certain cases the FTC can enforces commercial privacy policies •A number of statutes specifically grant enforcement authority to the FTC •Federal Trade Commission Act •Children's Online Privacy Protection Act •Gramm-Leach-Bliley Act •Telemarketing and Consumer Fraud Abuse Prevention Act •Fair Credit Reporting Act
FTC & Retroactive Policy Changes
•In re Gateway Learning (2004) •Gateway collected PII, but promised not to sell, rent or loan PII without customer consent •After collecting consumers' information, Gateway Learning changed its privacy policy to allow it to share the information with third parties without notifying consumers or getting their consent •FTC alleged unfair trade practice (the first FTC case to challenge a company's material change to its privacy policy) •Settlement: •barred Gateway from making deceptive claims about how it will use consumers' information and from applying material changes in its privacy policy retroactively, without consumers' consent
FTC & Bankruptcy Issues
•In re Toysmart.com LLC (2000) •Toysmart promised to "never" disclose customer PII •Bankruptcy prompted proposed sale of PII database •FTC complaint to block sale - not successful •Stipulation & Order: •Bankruptcy Court approval the requested sale only to a "qualified buyer" who would be obligated by the same privacy promise that Toysmart had made -- the other company has to protect the privacy too •Dissenting opinion believed sale should not be approved; "never" should really mean "never"
FTC Enforcement
•In the Matter of Google, Inc. (F.T.C. 2011) •Series of privacy-related issues in connection with the roll-out of "Google Buzz" in 2010 •Google had promised it would use PII from customers signing up for Gmail only for the purpose of providing them with a web-based email service & had promised to obtain consent for other uses •In reality, Google used this information to populate its new social networking service & did not get prior consent •Additionally, the "opt-out" features of Google Buzz did not completely prevent customers from being enrolled in certain features of Google Buzz
FTC Enforcement
•In the Matter of Google, Inc. (F.T.C. 2011) •These actions by Google were ruled to be deceptive trade pactices •Google was also ruled to have violated the terms of the U.S.-EU Safe Harbor Framework, which required companies to various privacy principles •Google was not required to pay fines or monetary damages, but was ordered to •End misrepresentations •Provide "greater transparency" about PII-sharing •Develop a "comprehensive privacy program"
Smith v. Bob Smith Chevrolet, Inc. (W.D. Ky. 2003)
•Issue is the interpretation of the "legitimate business interest" justification for accessing a consumer's credit report •Court found that Δ (dealership) accessed Π's credit report after contract had been concluded -Δ argued it needed report because transaction was in dispute -Court believed report was accessed to see how much extra money Π might be able to pay •Holding: "legitimate business need" must be narrowly construed -Otherwise could give unlimited access
Fair Credit Reporting Act cont
•Law Enforcement Access -Generally: •a consumer reporting agency may furnish identifying information respecting any consumer, limited to his name, address, former addresses, places of employment, or former places of employment, to a governmental agency -FBI Rules: for "authorized investigation to protect against international terrorism or clandestine intelligence activities" a consumer reporting agency •shall furnish the names and addresses of all financial institutions at which a consumer maintains or has maintained an account •shall furnish identifying information respecting a consumer, limited to name, address, former addresses, places of employment, or former places of employment not "may" but SHALL so they have to do it
GLB & Financial Privacy
•Law authorizes widespread sharing of personal information by various types of financial institutions -Banks, insurance companies, investment firms •Definition of regulated "financial institutions" may still expand: brokers, credit unions, check-cashing services, retailers issuing credit cards, appraisers, vehicle lessors, check printers, tax preparation, investment advisors, mortgage brokers, trust services, credit counselors •NOTE: GLB allows states to enact laws providing greater protection -fill in the GLB "gaps" (changing "opt out" to "opt in")
Defamation/Privacy Torts?
•Lawsuits against credit reporting agencies under state tort law for defamation or invasion of privacy -Note that credit reports are "commercial speech;" don't get lots of 1st Amendment protection -All forms of damages are available even without "actual malice" •BUT -- FCRA grants credit reporting agencies "qualified immunity" from defamation/privacy lawsuits -Bars defamation/privacy lawsuits unless agency acts with "malice or willful intent to injure" consumer congress saying - we have procedures under fair credit act and credit reporting agencies bully us -- so while there is a defamation thing for court, it doesn't really work
The Credit System
•Lending is BIG business in U.S. -Industries largely depend on borrowing •car, home, higher education, <50% of other retail •Importance of Credit Reporting Agencies -Prepare "credit reports" for use by creditor businesses in making decisions whether to provide credit to consumers -Credit reports contain wealth of information that can have privacy implications •Bankruptcy filings, adverse judgments, foreclosures -Credit reports may be supplemented by "investigative consumer reports" •May include "lifestyle" and "character" information
Video Privacy Protection Act (VPPA)
•NOTE: several important exceptions •A video tape service provider may disclose PII concerning any consumer •to the consumer •to any person with the "informed, written consent of the consumer" •to a law enforcement agency pursuant to a warrant, a grand jury subpoena, or a court order •to any person if the disclosure is incident to the ordinary course of business of the video tape service provider •Disclosure solely of the names and addresses of consumers if the video tape service provider has given consumer opportunity to "opt out"
Criticisms of GLB Privacy
•PIFI sharing among affiliates encourages mergers to build data warehouses & conduct data mining -Insurer might not underwrite risky investor or spendthrift -Highly sophisticated customer profiling of behaviors and preferences is now possible •Provisions of required notices often confusing (designed to discourage exercise of rights?) •Unfairly places the burden on the customer to protect their data by exercising opt-out -weakens customer power to control their financial information -- no one likes this law - they think its bad and consumers don't like the information sharing
Fair and Accurate Credit Transactions Act (FACTA)
•Passed in 2003, amended FCRA •Key Provisions: -One-Call Fraud Alerts -Business Transaction Data •Transactions with creditors that were used by an identity thief must be disclosed to victim upon request -Blocking information Resulting from Identity Theft -Credit Freezes •Restrict others from accessing consumer credit reports to make identity theft more difficult -Free Credit Reports & Credit Scores
Fair Credit Reporting Act
•Permissible Uses: -Consumer reporting agency can disclose consumer report: •Pursuant to court order or subpoena --- equifax will not get in trouble if they are subpoena •To subject him/herself •To third party reasonably believed to use the data for: -Providing credit, employment, insurance, licensing -Assessing existing credit risk/capacity to pay support -Legitimate business interest in connection to subject -Special Rule for Employment Purposes: •Must disclose to & obtain authorization from subject prior to seeking credit report for employment purposes
What does GLB mean?
•Permits the merging firms to combine their separate financial PII into huge new databases containing customers' banking, brokerage and insurance information •GLB required the major federal regulators of financial services to coordinate new privacy regulations restricting the onward transfer of financial PII outside these affiliating firms •GLB requires security measures, notice and opt-out consent
Permissible Uses of Credit Reports
•Phillips v. Grendahl (8th Cir. 2002) -Suspicious mom obtained "Finder's Report" on daughter's fiancée •Court concluded: -Finder's Report qualifies as a "consumer report" under the FCRA •Key issues were (1) whether report contained the sort of personal information that would bring it within the definition, and (2) whether anyone "expected" the Finder's Report or the information in it to be used for one of the purposes listed in the definition or "collected" the data for that purpose -Holding: Mom had no legitimate interest in obtaining the report
Property & Contract Law Concepts
•Philosophical Issue: •Should there be default property rights in PII? -- facebook can borrow everything about me for $10 a month •Should there be a default privacy rule in generic transactions between merchant and customer? •Property or Contract approach would require firms to "buy" permission in ways beyond what is strictly necessary for particular transaction •Ancillary use, transfer to third-parties, etc. •Some aspects of privacy are already regulated by "contract," i.e., EULAs
The Concept of Personally Identifiable Information (PII)
•Pineda v. Williams-Sonoma Stores •Issue for Decision: does a ZIP code count as PII under the Credit Card Act? •Holding: Yes; "a cardholder's ZIP code is both unnecessary to the transaction and can be used, together with the cardholder's name, to locate his or her full address" •Appeals court had concluded that a ZIP code only pertained to a group of individuals, unlike the specific items (such as address & telephone number) enumerated in the law •Court ruled that ZIP codes can be leveraged to obtain other PII --- bc of the way it can be leveraged
The Concept of Personally Identifiable Information (PII)
•Pineda v. Williams-Sonoma Stores (Cal. Sup. Ct. 2011) •П sued Δ under the provisions of the Song-Beverly Credit Card Act of 1971 -- in face to face transactions this law says you can't ask for any more information •Prohibits businesses from collecting and recording PII during credit card transactions •Δ had requested П's ZIP code and then stored it •Purpose was to conduct "reverse look-up" of П's address to market merchandise to her cashier asked pineda for zip code and with the zip code and credit card info - they found the address of pineda and started sending letters and email so pineda sued
Fair Credit Reporting Act (FCRA)
•Principal financial privacy law is the 1970 Fair Credit Reporting Act (FCRA) -- when stuff started to be stored electronically •Scope: applies to "any consumer reporting agency" that furnishes a "consumer report," "information suppliers" and "users" of credit report information -Consumer Reporting Agency (CRA): any entity regularly engaged in the collection or evaluation of consumer credit information provided to third parties -Information Supplier: any entity that submits credit information to a CRA; usually, this means a creditor -Users of Credit Information: in addition to CRAs and creditors, anyone who uses credit information for employment, credit, or insurance purposes is covered by the FCRA
Children's Online Privacy Protection Act (COPPA)
•Regulates collection & use of children's information by web sites •NOTICE: Children's websites must provide notice of what PII is collected, how used and the operator's disclosure practices for such information •CONSENT: Must obtain "verifiable parental consent" for collection, use, or disclosure of PII from children •Upon parent request, must provide: •Description of the specific types of PII collected •Right to refuse to permit further use or maintenance in retrievable form, or future online collection, of that PII •ENFORCEMENT: •FTC enforces COPPA as a "deceptive trade practice" •Can impose fines; no private lawsuits under age of 13 = you are still a child - only applies if you self report under 13 -- can't lie on a website that you are older or it won't count
Relevant Case Law (Torts) Remsburg v. Docusearch
•Remsburg v. Docusearch (2003) •FACTS: •Youens used commercial information broker, Docusearch, to obtain information, including birth date, SSN and employment address of Amy Lynn Boyer (whom he then found and killed) •Actions included outsourced "pretext" call to find out address •ISSUES: •Intrusion upon seclusion & appropriation •does a private investigator or information broker who sells information to a client pertaining to a third party have a cognizable legal duty to that third party with respect to the sale of the information? youens and remsberg may have gone to middle school together youens started stalking her do they have a duty to prevent harm
Relevant Case Law (Torts) Remsburg v. Docusearch
•Remsburg v. Docusearch (N.H. 2003) •HOLDING: •In certain limited circumstances (such as when the threat of misconduct is sufficiently foreseeable), a duty to exercise reasonable care not to subject others to "unreasonable harm" may arise for data brokers •Key issues are nature of the relationship & need for protection •But no general duty to protect others from criminal acts unless •Special relationship, or circumstances or duty voluntarily assumed (e.g., contract) YES you do have a duty to prevent harm other courts don't follow this - its an outlier
Video Privacy Protection Act (VPPA)
•Restrictions on Disclosure of PII •Video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for relief •Relief may include: •actual damages, liquidated damages of $2,500, punitive damages, attorneys' fees and other preliminary and equitable relief as the court determines to be appropriate •Most important "relief" is exclusionary rule: •PII obtained in any manner other than as provided "shall not be received in evidence in any trial, hearing, arbitration, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority...." ---sometimes law enforcement illegally gets video records and you get the exclusionary rule to get it thrown out
Relevant Case Law (Torts) Shibley v. Time
•Shibley v. Time, Inc. (Ohio Ct. App. 1975) •Π's sued Time and other magazines for selling subscription list to junk-mailers •Alleged public disclosure of private facts & appropriation •Court dismissed claim •Although lists can convey lifestyle data, this was insufficient to show mental suffering, shame, etc. •Also lost on appropriation (Δ's were not suggesting that Π's "endorsed" their products
FCRA & I.D. Theft
•Sloane v. Equifax Information Services, LLC (4th Cir. 2007) -Π sued under FCRA for damages due to I.D. theft and failure of Δ to correct inaccurate information -Δ admitted that it failed to: (1) follow reasonable security/accuracy procedures; (2) investigate disputed information; (3) delete information found to be inaccurate -Court rejected Δ's argument that Π had suffered only a "single, indivisible harm" -Court did, however, reduce jury award of damages to place it in proportion to defamation cases -- equifax did not follow reasonable procedures equifax WAS considered to be liable under fair credit reporting for failing to provide reasonable procedures
Additional Statutory Protections
•State Statutory Regulation •States are free to supplement federal legislation •Some state statutes have stronger provisions •PII Security Breach Notice Laws •Companies that maintain PII records must notify individuals where data is leaked, lost or improperly accessed •California is trend-setter •Many states restrict disclosure of SSNs - don't have comprehensive federal law - states are free to change opt out to opt in - you have to tell bank to share your info
Telephone Consumer Protection Act (TCPA)
•Subscribers can sue telemarketers once number is placed on "Do Not Call List" •A person who has received more than one telephone call within any 12-month period by or on behalf of the same entity in violation of this law may sue: •to enjoin such violation •to recover actual monetary loss from such a violation, or •to receive up to $500 in damages for each such violation, whichever is greater, or •both such actions
Tort Law
•Torts as Privacy Rights Under State Law •Four major common law privacy rights •intrusion upon seclusion, •public disclosure of private facts •false light •misappropriation •Most exist in some form in all 50 states, largely by common law precedent; a few states have codified them into statutory provisions •KEY QUESTION: to what extent can tort laws protect PII in web-based & other transactions?
Federal Trade Commission Action
•Triggers for FTC complaints •Inadequate Security •No actual breach of loss of data need occur •Security Gaffes and Failure to Train •Data security breach due to negligence or inadequate training •Broken Promises •Retroactive Privacy Policy Changes •Changing a privacy policy "after the fact" •Deceptive Data Collection •Inadequate Disclosure of the Extent of Data Collection •Failing to inform website users about the extent of tracking
Financial Privacy
•U.S. has more experience with federal regulation of privacy in the reporting of credit histories than with privacy regulation in any other sector •Creditworthiness or Credit Risk: Assessed using credit history, data archived about debtor's timely payments or payment defaults •Information is sold as consumer reports to lenders, insurers, prospective employers and others to infer character and general reputation •Many insist this information is relevant to decisions to issue credit, but also in employment and insurance underwriting
Computer Fraud & Abuse Act: CFAA
•U.S. v. Drew (C.D. Cal. 2009) •Holding: Treating a violation of a website's terms of service, without more, as a violation of the CFAA's prohibition against "intentionally accessing a computer without authorization" would result in transforming that section of the law into an "overbroad enactment" •The court concluded that ruling otherwise would create a law "that affords too much discretion to the police and too little notice to citizens who wish to use the Internet" can't violate law just by violating terms of service
Computer Fraud & Abuse Act: CFAA
•U.S. v. Drew (C.D. Cal. 2009) •Issue of whether violations of an Internet website's terms of service constitute a crime under the CFAA •Δ was charged with conspiracy with others to use a computer without authorization to commit the tort of "intentional infliction of emotional distress" •Δ violated MySpace's Terms of Service by creating fake profile and posting false/hateful communications to a teenager who subsequently committed suicide - girl was friends with this girl named drew and decided to bully the girl - so drew and her mom made a fake profile of a guy that said he liked this girl - then they said the girl should die so she killed herself - the mom of drew was responsible for it all
Tort Law & Identity Theft
•Wolfe v. MBNA America Bank (W.D. Tenn. 2007) -Credit card issued to fraudster using Π's name -Π sued on negligence theory -Δ argued no duty to prevent non-client I.D. theft -Court held: "Because the injury resulting from the negligent issuance of a credit card is foreseeable and preventable ... Under Tennessee negligence law, Defendant has a duty to verify the authenticity and accuracy of a credit card application before issuing a credit card" -- prob can't sue actual identity theft - most are against financial institutions who have been accused of negligent and didn't catch it