Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Technology

Subscribe to Technology RSS Feed

U.S. District Court Dismisses Privacy Class Actions against Viacom, Google

Posted in Communications/Media, Technology

Google and Viacom’s Nick.com, Nickjr.com, and Neopets.com off the hook – for now

On July 2, 2014, New Jersey Federal District Judge Stanley R. Chesler dismissed six consolidated MDL class actions challenging Viacom’s and Google’s practice of installing cookies on personal computers that were used by children to access three Nickelodeon websites.  According to Plaintiffs, Viacom allegedly used its cookies to collect personally identifiable information (PII) on the children in an anonymized format without user or parental consent.  Viacom then allowed Google to access the data in Viacom’s “first-party” cookies, and also allowed Google to install its own “third-party” cookies.  Plaintiffs—all of whom were under thirteen years of age—alleged this data collection and sharing violated federal, California, and New Jersey law, including the federal Video Privacy and Protection Act (VPPA), Wiretap Act, and Stored Communications Act (SCA), as well as the California Invasion of Privacy Act (CIPA) and the New Jersey Computer Related Offenses Act (CROA).

Judge Chesler dismissed most of plaintiffs’ counts against Viacom and Google with prejudice, but gave the plaintiffs leave to file an amended complaint against Viacom to address the few claims that remain, including the claim that Viacom violated the VPPA. That may be little ... Continue Reading

UPDATE on Breslow v. Wells Fargo – Same as the Old Boss: Eleventh Circuit Withdraws Opinion Just Four Days Later, But to Little Practical Effect

Posted in Communications/Media, Marketing and Consumer Privacy, Technology

Just a few days ago, we reported on the Eleventh Circuit’s decision in Breslow v. Wells Fargo, which reaffirmed precedent that strict liability can arise in autodialer, prerecorded-message and texting suits under the Telephone Consumer Protection Act (TCPA), if a caller or texter obtained consent from the intended recipient, but that party’s cell number was reassigned.  We noted how this reinforced the Eleventh Circuit’s prior decision in Osorio v. State Farm to the same effect, and which in turn aligned the Eleventh Circuit on this issue with the Seventh Circuit under its decision in the Soppet v. Enhanced Recovery case.  Now, just days after it issued its ruling, the Eleventh Circuit – acting on its own momentum and not at request of the any of the parties – has withdrawn its Breslow decision.

In a short order, the Circuit Judges who decided Breslow vacated their original opinion, and held instead the prior Eleventh Circuit Osorio decision should have controlled in Breslow.  Specifically, the replacement Breslow decision observes that Osorio concluded that the “called party” for purposes of whether consent exists for an autodialed call or text or a prerecorded message is the subscriber to the cell phone ... Continue Reading

Summertime Blues: Eleventh Circuit Doubles Down on Strict TCPA Liability for Texts and Autodialed and Prerecorded Calls to Cell Phones

Posted in Communications/Media, Marketing and Consumer Privacy, Technology

Over the Spring, we reported on how the Eleventh Circuit’s decision in Osorio v. State Farm brought that court into alignment with the Seventh Circuit on how restrictions in the Telephone Consumer Protection Act (TCPA) on automated and/or prerecorded calls and texts to cell phones can effectively impose strict liability, even if a calling party believed it had consent for the calls.  Now that Summer’s here, the Eleventh Circuit reaffirmed and reinforced its Osorio ruling, and aligned with the Seventh Circuit even more closely, by holding in Breslow v. Wells Fargo that where a company gets prior express consent to prerecorded-call and/or auto-dial or auto-text a cell phone, the caller can still be liable if at the time the call is made the cell number has been reassigned to a new subscriber who did not consent.

As in the Seventh Circuit case of Soppet v. Enhanced Recovery, which we discussed here, the calls at issue in Breslow involved efforts to collect on an overdue account, this time by Well Fargo, which believed it had consent to call the cell number which, at the time of the call, was used exclusively by Breslow’s minor son.  Wells Fargo called the ... Continue Reading

Should Have Stayed on The Farm(ville): Class Action Plaintiffs’ ECPA Claims Put Out to Pasture

Posted in Marketing and Consumer Privacy, Technology

Ah, to be a class action plaintiff these days. One day you’re up, plowing through the Northern District of California on expansive theories of injury, the next you’re down, upended like a top-heavy apple cart by a failure to properly plead your claims under the relevant statute. In In Re: Zynga Privacy Litigation, it was the latter—a failure to properly allege that Facebook and Zynga wrongly disclosed the “contents” of communications, under the Electronic Communications Privacy Act (ECPA). The Ninth Circuit decision affirming the district court’s consolidated opinion in Robertson v. Facebook and Graf v. Zynga, issued on May 7, 2014, can be found here.

Privacy class actions have often suffered from a glaring defect: the inability to allege injury, which is required for Article III standing and jurisdiction. In other words, the class plaintiff has made adequate allegations that information was wrongly disclosed, but not that consumers have been harmed by the disclosure. However, as we have reported previously (see also here), the Northern District of California has tilled the soil for more class actions—at least in that court—by holding that violations of a statute that establishes privacy rights and provides for statutory damages, such ... Continue Reading

Brazil Enacts “Internet Bill of Rights,” Including Net Neutrality and Privacy Protections

Posted in Global, Technology
Brazil’s long-debated “Internet Bill of Rights” has finally become law. The legislation, which passed the Brazilian Senate unanimously in April, is intended to secure equality of access to the Internet in Brazil—i.e., Net Neutrality—and provide privacy protections for Brazilian users of the Internet. Experts hailed the law “for balancing the rights and duties of users, government and corporations while ensuring the Internet continues to be an open and decentralized network.”

The law, known as the Marco Civil da Internet or “Marco Civil” (in English, the Civil Internet Regulatory Framework) was first proposed in the Brazilian Congress in 2011, but received new significance in late 2013 after revelations that the U.S. National Security Agency had spied on the communications of persons across the world—including Brazilian President Dilma Rousseff. Rousseff signed the Marco Civil into law on April 23, 2014. The law goes into effect in July.... Continue Reading

Commonly referred to in English as an “Internet Bill of Rights” or “Internet Constitution”, Brazil’s new Marco Civil provides for the freedom of expression and of content on the internet while also limiting the amount of metadata that can be gathered on Brazilian Internet users. The legislation also includes broadly worded protections for

“Like” It Or Not–It May Not Matter

Posted in Communications/Media, Marketing and Consumer Privacy, Technology

Loading Facebook’s “Like” Button Sends Personal Information Even If Not Clicked, and That Alone Could Violate the Video Privacy Protection Act

Recently, a magistrate judge in the Northern District of California confirmed what many already believed: that information disclosed to third parties without appropriate consent or pursuant to a permitted exception “must identify a specific person and tie that person to video content that the person watched in order to violate the [Video Privacy Protection Act].” But Magistrate Judge Beeler did not stop there and clarified that the VPPA “does not say ‘identify by name’ and thus plainly encompasses other means of identifying a person.” So what could have been a sigh of relief in the Hulu Privacy Litigation... Continue Reading may now affect numerous websites that contain streaming video clips or programs and which allow users to “like” those pages on Facebook or plug-in to other social media sites and applications. The court granted Hulu’s summary judgment motion with respect to its disclosures to comScore disclosures, but denied it with respect to Hulu’s Facebook disclosures, finding that material issues of fact remain and more information was needed to determine whether such disclosures were “knowing” or whether users had consented.

Tax Extension Deadline is Another Opportunity for Email Fraudsters

Posted in Technology

Posted by Lance Koonce

Yesterday, my accountant called me to let me know that my 2006 federal tax return was complete, and that I was getting a refund. He then confirmed that he would be filing the return electronically after we finished our call.

This morning, the following email showed up in my inbox:

From:              Internal Revenue Service [refund@irs.gov]

To:                   Koonce, Lance

Subject:            IRS Notification – Tax refund

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $249.30
Please submit the tax refund request and allow us 3-6 days in order to
process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Regards,
Internal Revenue Service

© Copyright 2007, Internal Revenue Service U.S.A. All rights reserved.

Now, I knew my refund was not for $249.30, unless my accountant did some seriously bad math.  But the proximity of the email after the e-filing almost convinced me this was legit. ... Continue Reading

Think You’re Safe?

Posted in Technology

Posted by Angela Kang and Jennifer Small

The latest RSA Monthly Fraud Report warns of a new “plug-and-play” phishing kit that can install a phishing site within two seconds. Creating a phishing site is now as easy as installing a “.exe” file. If that doesn’t ring any alarm bells, McAfee Avert Labs reports a 784% increase in phishing sites in the first quarter of 2007, with no slowdown in sight.... Continue Reading

Internet Scams Target Car Buyers and Sellers

Posted in Technology

Posted by Brian Bennett

Experts say that scam artists are targeting just about every internet web site for automobile sales. Warning signs that consumers should watch out for are:

1) the seller or buyer won’t provide contact information, or the information doesn’t check out;

2) the transaction involves a money wire or illegitimate escrow account; or

3) the deal sounds too good to be true.

Perhaps most important to keep in mind is that once you have given your account information, your money is gone.... Continue Reading

Chinese Bank Network Involved in New Phishing Tactic

Posted in Technology

Posted by Peter Mucklestone and Stuart Louie

As recently reported by Gregg Keizer at TechWeb News, Netcraft, a U.K.-based internet monitoring company recently uncovered the unauthorized use of China Construction Bank Corp.’s servers by online criminals to host “spoofed sites” in order to dupe customers of American banks and online retailers. China Construction Bank Corp. is one of China’s “Big Four” state-owned banks with more than 14,200 branches across China.... Continue Reading

Congratulations, You’re Entitled to a Refund . . . Now Hand Me Your Wallet

Posted in Technology

Posted by Lance Koonce

Perhaps I’m just cynical, but if the Internal Revenue Service sends me an email notice today saying that I have unexpectedly received a refund on my taxes, I will not rush out and start start shopping for that new car just yet. (Of course, maybe that’s because my taxes are never done until April 15th, so anything I receive from the IRS this early is clearly a fraud.)

But the IRS is not laughing at the surge in email phishing attempts designed to prey on people’s tendency to trust official-looking communications from the federal government.... Continue Reading

Need Another Reason to Hate Tax Season?

Posted in Technology

Posted by Merrill Baumann

It’s axiomatic that wherever large sums of money are changing hands, there will be scams seeking a piece of the action… and tax collecting is no exception. Not surprisingly, the IRS warns that numerous phishing scams abound, where the perpetrator asks for confidential information in exchange for tax refunds or some other benefit. So how do you protect yourself against these fraudsters? One of this biggest weapons is common sense. Legitimate commercial outfits no longer request confidential financial information by unsolicited emails. And in many contexts, including the IRS, simply ask yourself: Why are they asking for this information? Don’t they already have it?... Continue Reading

Phishing Scams Continue to Rise

Posted in Technology

Posted by Kraig Baker

Gartner reports that phishing attacks grew 28% from May 2004 to May 2005. Almost 2.5 million people reported losing money because of phishing attacks (and that’s just those that admitted to it) to the tune of $929 Million and 11 million people clicked on a phishing e-mail. Despite the increase, it doesn’t appear to me that phishing attacks have gotten that much more sophisticated. I think this is an outgrowth of people’s general fear of computers and gullibility with respect to the written word. People who fall victim to phishing are undoubtedly the same people who used to forward the Bill Gates chain letter.... Continue Reading

The Governator: Hasta La Vista, Phishers

Posted in Technology

Posted by Lance Koonce On Friday, Governor Arnold Schwarzenegger signed California Senate Bill 355, the Anti-Phishing Act of 2005, which makes phishing schemes illegal in California. The legislation states that “[i]t shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business.”... Continue Reading

Phishing in the Wake of Katrina

Posted in Technology

Looters are apparently not to the only persons seeking to benefit from the misery of others. The Salt Lake Tribune recently reported increasing incidents of phising in the wake of Hurricane Katrina. Within hours after Katrina devastated much of New Orleans, a flurry of Katrina-related domain name registrations were reported; many thought to be linked to bogus charities and fund-raising cons. (Example of possible phishing site described here). On eBay, sellers are auctioning Katrina-related domain names “promising” to donate a portion of the proceeds of the sale to flood relief efforts. Even the large financial markets are not immune.... Continue Reading

Beyond Phishing: Pharming and Crimeware Attacks

Posted in Data Protection, Technology

In a recent study conducted by the Anti-Phishing Working Group, a global association of ISPs, banks, law enforcement agencies and other concerned parties, it was noted that incidents of phishing (or the use of fraudulent emails to dupe people into sharing personal information such as back account passwords, PIN number and/or credit card information), while still rampant on the internet, are increasing at a slower rate.... Continue Reading

ATM Card Phishing

Posted in Data Protection, Marketing and Consumer Privacy, Technology

A report issued August 2, 2005, by Gartner, Inc. describes how thieves have stolen more than $2.75 billion by using phishing scams to obtain debit card account numbers and PINs from unsuspecting consumers. The thieves use the account numbers to create fake cards, then use the cards and PINs to drain consumers’ accounts, leaving consumers to deal with the bounced checks and the banks to reimburse the victims, as described in more detail here. The debit cards of some banks, such as Bank of America, are not targets because the banks take advantage of a second track on the magnetic strips on their cards to embed additional security codes that consumers — and therefore data phishing thieves — don’t know about. Banks whose debit cards have been hard hit by these attacks have begun using the second track on the magnetic strips on their cards and have beefed up their security codes in order to prevent the attacks.

Posted by Randy Gainer... Continue Reading