Privacy and Security Law Blog : Privacy & Security Law Blog : Davis Wright Tremaine LLP : Seattle, Los Angeles, Washington D.C., New York, San Francisco, Shanghai, Portland and Anchorage Law Firm

Posted by K.M. Das

In December 2005, the European Parliament passed a far-reaching directive requiring Internet service providers and telephone companies to retain data on every electronic message sent and phone call, including VoIP, made for six months to two years. Although ISPs and telephone companies will not be required to maintain the content of the communications, they will be required to keep data such as the time of a call, whether the call is answered or not, the times customers were connected to the Internet, their IP addresses, and other details related to e-mails and VoIP calls. The European parliament's rationale for passing the directive was to combat terrorism and serious crimes.

• Email This
• Print
• Comments (2)
• Share Link

Posted by Lance Koonce

Today's Wall Street Journal contains an article about the new civil-liberties protection officer for the U.S. Office of the Director of National Intelligence, Alex Joel. Joel was recently appointed to this new position, which observers say was created to assuage privacy concerns relating to U.S. intelligence efforts, in particular the NSA's heavily criticized surveillance program (see prior entries here, here, here and here). Other privacy posts have been created at other agencies as well, including the Justice Department. As an aside (or maybe not), Mr. Joel sees no problem with the NSA program from a privacy perspective.

• Email This
• Print
• Comments
• Share Link

Posted by Ronald G. London

The Federal Communications Commission has completed its rulemaking to adopt regulations codifying the "established business relationship" or "EBR" exemption to the federal prohibition on unsolicited facsimile advertisements in the Telephone Consumer Protection Act (TCPA). The codification was necessary under the Junk Fax Prevention Act, which mandated that the FCC re❽instate the "EBR exemption" the agency announced it would eliminate in 2003 (after it had been in effect since 1992) in favor of requiring prior written consent for unsoli❽cited fax ads. The new rules create a new "do-not-fax" regime for unsolicited advertisements whereby those who send such faxes must maintain an internal list of recipients who "opt out" of further faxes from the sender.

• Email This
• Print
• Comments
• Share Link

Posted by Teena Lee

It should not surprise anyone that the US is not the only country with data security issues. Yet the differing legal regimes in other jurisdictions sometimes provide an opportunity to examine what works and does not work in addressing security problems before similar laws are enacted here.

For example, despite having what are purported to be stricter laws with regard to data protection than the U.S., it would appear companies in the United Kingdom continue to suffer just as much at the hands of criminal hackers as those in the United States. See this recent article from BBC News. Some of the key differences between the UK's data protection laws and the United States counterpart is that all "data controllers", i.e., those who determine what is to happen to personal data in their possession or in the possession of "data processors" holding the information on behalf of the controllers, must register their data processing activities with a state data protection agency, and in some instances, prior consent is required before any data processing can begin. Very generally, while the UK requires a more centralized regime for regulation, the United States relies on a mix of legislation, regulation and self-regulation, and for this reason, the UK (as well as the European Union) has found that the US failed to meet its "adequacy" standard for data protection.

Yet much of the information we have on experiences under different regimes is anecdotal or spotty; it would be interesting to see an apples-to-apples comparison of data breach trends in various jurisdictions that have different protection regimes. Given the plethora of bills floating around Congress, surely someone has done such an analysis (and if not, why not?). If anyone knows of such a report, we would love to post a link here.

• Email This
• Print
• Comments
• Share Link

Posted by Joseph Vance

Employers may have a new weapon to use against disgruntled employees who delete data on their computers before leaving the company. In a recent Seventh Circuit Court Appeals decision, International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), the court held that the employer could maintain a claim against a former employee under the Computer Fraud and Abuse Act, 18 U.S.C. sec. 1030 ("CFAA").

In that case, in the course of his employment, the defendant Citrin was issued a laptop to use to record data that he collected in the course of his work to identify potential acquisition targets. Citrin decided to quit and go into business for himself. However, before returning the laptop to his employer, Citrin deleted all of the data on the laptop and installed a secure-erasure program to ensure that the deleted files could not be recovered. The deleted files included not only the data he collected but also data that would have revealed to his employer improper conduct that Citrin had engaged in before he decided to quit.

The CFAA provides that whoever "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer," violates the Act. Citrin argued that merely erasing a file from a computer is not a "transmission." The court, however, concluded that the loading of the secure-erasure program onto the computer (either as an Internet download or from a disk insertion) constituted a "transmission" under the Act.

• Email This
• Print
• Comments
• Share Link

Posted by Merrill Baumann

Apparently eBay subsidiary PayPal is used for a lot more than facilitating the purchase of commercial oddities online. At least that's what the IRS thinks. Earlier this week a U.S. District Court in California issued a summons requested by the IRS for account information relating to PayPal money transfers involving financial institutions in more than 30 countries used as tax havens.

The IRS explains that PayPal is simply another mechanism used by creative Americans to stash money overseas and avoid tax liability. PayPal is currently "evaluating [its] options" in light of its privacy obligations. While perhaps not quite as sexy as a request for sensitive information under the Patriot Act, it nevertheless will be interesting to see whether PayPal will try to challenge the IRS' well-known broad subpoena powers.

• Email This
• Print
• Comments
• Share Link

Posted by Bruce Johnson

Here's an update to my prior blog on Steinbuch v. Cutler. The United States District Court judge, Judge Paul Friedman, generally denied Cutler's motion to dismiss on Wednesday, except that he apparently recognized that much of the plaintiff's case was time-barred to the extent that it was filed after the one-year statute of limitations had run on such claims. A summary is available in today's Washington Post.

• Email This
• Print
• Comments
• Share Link

Posted by Stuart Louie

In the wake of the Gramm-Leach-Bliley Act (GLBA) requiring financial institutions to provide their customers with certain notices about their privacy policies and practices, federal regulators observed that such privacy notices were often too lengthy, dense in content, and contained complex language such that most consumers neither read nor understood them. In response to these observations, six federal agencies tasked with enforcing the GLBA (the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission) initiated a multi-phase project to explore the development of a prototype financial privacy notice that would be easier for consumers to understand and use. The report entitled "Evolution of a Prototype Financial Privacy Notice," which was prepared by the Kleimann Communication Group, was released on March 31, 2006.

• Email This
• Print
• Comments
• Share Link

Posted by Kaustuv Das

Earlier I had reported on Professor Shamir's announcement at RSAConference 2006 that it is possible to kill RFID tags using power consumption based attacks. Now, Melanie Rieback, Bruno Crispo, and Andrew Tanenbaum, all from the Computer Systems Group at the Free University of Amsterdam, have announced that it is possible to spread computer viruses and worms using RFID tags.

• Email This
• Print
• Comments
• Share Link