Privacy Primer: Family Educational Rights and Privacy Act (FERPA)

FERPA is a U.S. law, passed in 1974, that protects the privacy of student educational records.  FERPA applies to all schools, from elementary schools to postsecondary education institutions, that receive federal funds under a program of the U.S. Department of Education.  FERPA and the regulations promulgated under it provide a right to inspect educational records, a right to request amendment of educational records, and a right to privacy of educational records.

First, the rights under FERPA apply to “educational records,” which are records that are directly related to a student and are maintained by the educational institution or by a party acting on the institution’s behalf.  Educational records, however, do not include, for example, personal notes, records of law enforcement units (i.e., campus police), or employment records of students who may also be employees of the institution.

The right to inspect educational records initially belongs to parents.  Once a student turns 18 or attends school beyond the high school level, he or she becomes an “eligible student,” and the inspection rights transfer from the parent to the student.

Parents or eligible students have a right to review the student’s educational records and request that the school amend records that they believe are inaccurate, misleading, or in violation of the privacy rights of the student.  If the school does not make a requested amendment, the parent or eligible student has a right to a formal hearing with the school.  If the school decides not to make the requested amendment after the hearing, the parent or eligible student has the right to place a statement in the record as to why he or she believes the information is inaccurate, misleading, or in violation of the privacy rights of the student.  Any time the school discloses the disputed part of the record, it must also disclose the parent or eligible student’s statement.

Covered institutions generally cannot disclose to a third party any personally identifiable information from an educational record of a student without the parent or eligible student’s written consent.  The written consent must specify the records that the institution can disclose, the purpose of the disclosure, and to whom the institution can make the disclosure.

Covered institutions, however, can disclose personally identifiable information from an educational record without written consent to the following parties for the following reasons:

  • To school officials who have a legitimate educational interest in the information
  • To officials of another school for purposes related to a student’s enrollment in or transfer to that school
  • To certain federal officials or state and local educational authorities
  • To appropriate parties in connection with a student’s application for financial aid
  • To organizations conducting studies for a school to develop, validate, or administer predictive tests, administer student aid programs, or improve instruction
  • To accrediting organizations
  • To comply with a judicial order or lawfully issued subpoena, after making a reasonable effort to notify the parent or eligible student of the order or subpoena before disclosure, so that the parent or eligible student may seek a protective order.
  • To appropriate parties in connection with a health or safety emergency
  • To comply with laws regarding registered sex offenders
  • To parents of eligible students at postsecondary education institutions who are under 21 and commit a disciplinary violation with respect to the use or possession of alcohol or a controlled substance
  • To appropriate parties in connection with disciplinary proceedings at postsecondary education institutions, provided that the student is an alleged perpetrator of a violent crime or non-forcible sex offense and has committed a violation of the institution’s rules or policies


Covered institutions can also disclose “directory information” without written consent.  Directory information consists of information that would not generally be considered an invasion of privacy if disclosed, such as a student’s name, address, telephone number, e-mail address, field of study, grade level, enrollment status, dates of attendance, or degrees, honors, and awards received.  Before disclosing directory information, however, the institution must give notice to parents and attending students as to what categories of information it consideres directory information and give them a reasonable opportunity to opt out of having any or all of those categories of information designated directory information for the particular student.

The Department of Education is responsible for enforcing FERPA.  There is no private right of action, but parents or eligible students who believe an institution has violated FERPA can file a complaint with the Department of Education’s Office of the Chief Privacy Officer.  The Office will investigate the claim and issue findings.  If it determines that the institution violated FERPA, it may set forth corrective actions that the institution must take.  If the institution fails to take such corrective actions within a reasonable time, as set by the Office, the Department can withhold further payments to the institution or terminate the institution’s eligibility to receive funding under any Department program.

Tagged with: ,
Posted in Privacy

Ninth Circuit Finds Article III Standing For Procedural Violation Of Biometric Privacy Law

The Ninth Circuit Court of Appeals has written the latest chapter of the ongoing saga of Article III standing for violations of the Illinois Biometric Information Privacy Act (“BIPA”).  BIPA requires, among other things, that before collecting a person’s biometric information, a company must provide certain notices to the person and obtain a written release.  Under BIPA, companies that collect biometric information must also establish a retention schedule so that biometric information is not stored for longer than needed.

In light of the Supreme Court’s decision in Spokeo v. Robbins, however, several district courts had ruled that a bare procedural violation of BIPA, absent any additional harm, was insufficient to confer standing in federal court, because such a procedural violation does not constitute an injury-in-fact.  Yet the January 25, 2019 Illinois Supreme Court decision Rosenbach v. Six Flags Entertainment Corp. appeared to elevate a procedural violation of BIPA over the threshold of concrete harm, albeit in the context of statutory interpretation.

In Patel v. Facebook, the Ninth Circuit took a view similar to the Illinois Supreme Court, affirming a district court ruling that a procedural violation of BIPA is sufficient to confer Article III standing, because the procedural violation, in and of itself, constitutes the concrete harm necessary to satisfy the injury-in-fact requirement of Article III.

The case involves allegations regarding Facebook’s Tag Suggestions feature, which was added in 2010.  When Facebook users upload a photo, they can “tag” the people in the photo, which then links to that person’s Facebook profile.  The Tag Suggestions feature uses facial recognition technology to analyze a photo when it is uploaded and compare any faces in the photo to Facebook’s database of user face templates.  If the feature detects that the photo depicts a Facebook friend of the user who uploaded the photo, it suggests that the user tag the friend in the  photo.

The plaintiffs in the case allege violations of BIPA because Facebook collected a scan of their face geometry from uploaded photos to build its user face templates database without obtaining a written release and without establishing a BIPA-compliant retention schedule.  Facebook moved to dismiss the case for failure to meet the requirements of Article III standing, but the district court denied the motion.

On appeal, the Ninth Circuit affirmed the district court.  First, the court noted that a concrete injury does not necessarily have to be a tangible injury.  To determine whether an intangible injury is nevertheless concrete, the court considers “both history and legislative judgment.”  It also noted that the violation of a statutory right that protects against the risk of real harm may be sufficient to constitute an injury-in-fact, even absent any additional harm beyond the statutory violation.  To determine whether a statutory violation is a concrete injury, the court asks (1) whether the statutory provisions at issue were established to protect the plaintiff’s concrete interests, and if so (2) whether the specific procedural violations alleged actually harm, or present a material risk of harm to such interests.

The court answered both questions “yes” under plaintiffs’ allegations in the case.  It stated that privacy rights were well established in the common law and that technological advancements can present a real threat to those rights.  It also found the “judgment of the Illinois General Assembly” to be “instructive and important” on the matter.  It found that the Illinois General Assembly passed the procedural protections of BIPA as a means to protect a substantive right to biometric privacy.  It therefore concluded that the procedural protections in BIPA “were established to protect an individual’s ‘concrete interests’ in privacy, not merely procedural rights.”

It then turned to the question of whether the alleged procedural violations actually harmed or presented a material risk of harm to the plaintiffs’ privacy interests.  It concluded that they did.  Because the statutory right at issue is the right to retain control over one’s biometric information,  Facebook’s alleged conduct necessarily harmed that right.  In coming to its conclusion, the court cited to Rosenbach for the proposition that “when a private entity fails to adhere to the statutory procedures [in BIPA] the right of the individual to maintain his or her biometric privacy vanishes into thin air.”

Because the plaintiffs satisfied both prongs of the relevant test, the court ruled that they had sufficiently alleged a concrete injury-in-fact to satisfy the requirements of Article III standing.

Whether other circuits will rule similarly remains to be seen.  It is possible that the Supreme Court will ultimately have to resolve the issue.  But in the meantime, whether a BIPA litigant can successfully bring a claim in federal court (or whether a BIPA defendant can successfully remove a claim to federal court), may very well depend on where the claim is filed.

Tagged with: , ,
Posted in Data Security, Privacy

Year To Date Changes To State Data Breach Notification Laws

With so much attention being paid to the impending California Consumer Privacy Act, it can be easy to forget that other states have privacy and data security laws too.  And those laws change routinely, with potentially significant impacts on businesses.  Here is a quick rundown of changes to state data breach notification laws that have been enacted since the beginning of 2019.

Arkansas:  On April 10, 2019, the Arkansas General Assembly enacted amendments to the Arkansas Personal Information Protection Act.  The amendments added “biometric data,” such as fingerprints, retina scans, voiceprints, and DNA data, to the law’s definition of “personal information.”

The amendments also require personal data holders to notify the Arkansas attorney general if a data breach involves more than 1,000 individuals.  The attorney general must be notified at the same time the affected individuals are notified or within 45 days after the breached entity determines there is a reasonable likelihood of harm to customers, whichever occurs first.

The amendments also require a breached entity to retain a copy of the written determination of a data breach and supporting documentation for five years after the breach has been detected.  If the attorney general submits a written request for this documentation, the entity must provide it within 30 days.

The amendments became law on April 15, 2019 and become effective on July 23, 2019.


Illinois:  On May 27, 2019, the Illinois General Assembly, passed amendments to the Illinois Personal Information Protection Act with regard to data breach notifications.  Under the amended law, in addition to any obligation they may have to notify the affected individuals, data collectors are also required to notify the Illinois attorney general if a data breach involves the personal information of more than 500 Illinois residents.  Data collectors must give notice to the attorney general “in the most expedient time possible and without unreasonable delay,” but no later than when notice is given to the affected individuals.

The General Assembly sent the bill to Governor J.B. Pritzker on June 25.  He has 60 days to approve or veto the bill.  Absent action from Governor Pritzker, the bill will automatically become law upon expiration of the 60 days.     


Maryland:  On April 30, 2019, Governor Larry Hogan signed a bill amending the security breach notification requirements of Maryland’s Personal Information Protection Act.  The amendments expand data breach investigation requirements to businesses that maintain computerized personal data but do not own or license that data.  When there is a breach in such a situation, notification requirements fall on the business that owns or licenses the personal data.  The business that maintains the data, however, cannot charge the owner or licensee a fee for providing the information the owner or licensee needs to make the required notifications.

The new provisions become effective on October 1, 2019.


New Jersey:  On May 10, 2019, New Jersey enacted amendments to certain provisions of its data breach notification laws.  These amendments expand the definition of “personal information” to include a person’s first name or first initial and last name when linked with a “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.”  If a breach includes no additional personal information as defined in the law, the entity may provide notice electronically and direct the individual whose information has been breached to “promptly change any password and security question or answer” or take “other appropriate steps to protect the online account . . . and all other online accounts for which the customer uses the same user name or email address and password or security question or answer.”  An entity that provides a customer email account, however, cannot send notification of a data breach to an email address that is subject to that data breach.

The amendments become effective on September 1, 2019.


Oregon: On May 24, 2019, Governor Kate Brown signed into law amendments to the Oregon Consumer Identity Theft Protection Act, which will be renamed the Oregon Consumer Information Protection Act when the amendments become effective on January 1, 2020.  The amendments make a distinction between a “covered entity” and a “vendor” that is similar to the “controller” and “processor” distinction in the GDPR.  A covered entity is an entity that “owns, licenses, maintains, stores, manages, collects, processes, acquires, or otherwise possesses personal information” in the course of its “business, vocation, occupation or volunteer activities.”  A vendor is an entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”

A vendor who discovers a breach or has reason to believe a breach has occurred must notify the covered entity “as soon as practicable but not later than 10 days” after discovering the breach or having reason to believe a breach has occurred.  The covered entity is then responsible for giving the requisite notice to the affected individuals.  The vendor must also notify the Oregon attorney general if the breach involves more than 250 Oregon residents or the vendor is unable to determine the number of Oregon residents affected.  This is in addition to any requirements the covered entity may have to notify the attorney general.


Texas:  On June 14, 2019, Texas Governor Greg Abbott signed into law amendments to the Texas Identity Theft Enforcement and Protection Act.  Under the prior version of the law, holders of sensitive personal data had to disclose any data breach to the individuals affected “as quickly as possible.”  The amendments change this standard to “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.”  The amendments also now require notification to the Texas attorney general if a breach involves at least 250 Texas residents.  These new notification provisions go into effect on January 1, 2020.

The law also creates the Texas Privacy Protection Advisory Council “to study data privacy laws in this state, other states, and relevant foreign jurisdictions.”  The council will consist of 15 Texas residents: five state representatives and two industry representatives appointed by the speaker of the house, five senators and two industry representatives appointed by the lieutenant governor, and three industry representatives and two non-profit or academia representatives appointed by the governor.  The law tasks the council with studying privacy and data protection laws from other jurisdictions.  It must report its findings and recommendations for any changes to Texas law no later than September 1, 2020.


Utah:  On May 14, 2019, certain amendments to Utah’s Protection of Personal Information Act became effective.  Under the prior version of the law, notification of a data breach could be provided by publication in a newspaper of general circulation and in accordance with general legal notice requirements.  Under the new law, notice by publication is permitted only for Utah residents for whom notification by other permissible means “is not feasible.”

The amendments also lifted the cap on civil penalties for data breaches that involve 10,000 or more Utah residents and 10,000 or more residents of other states.  They also set a 10-year limitations period for administrative enforcement actions under the Act and a 5-year limitations period for civil actions under the Act, both running from “the day on which the alleged breach of system security last occurred.”


Washington:  On May 7, 2019, Governor Jay Inslee signed a bill amending Washington’s data breach notification law.  The amendments require any notification involving a data breach of login credentials to “inform the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.”  This notification can be sent by email, unless of course, it is the login credentials to that email account that have been breached.  Under the amendments, breach notifications are now required to include the date of the breach and the date the breach was discovered.  And the maximum time to issue breach notification is lowered from 45 days to 30 days, subject to certain exceptions.

Under the amendments, breached entities must notify the Washington attorney general within 30 days of discovery of any breach involving more than 500 Washington residents.  Along with the information previously required, this notice must now also include the types of personal information breached, the time frame of exposure, a summary of the steps taken to contain the breach, and a sample copy of the security breach notification sent to the affected individuals.

The amendments become effective on March 1, 2020


At least nine other state legislatures are currently considering bills that would create data breach notification obligations or modify those that are already in place.  As you can see, it is important for businesses to assess which state laws they are subject to and monitor them to stay informed as to how their legal obligations may change over time.

Tagged with: , ,
Posted in Data Breach, Data Security

Privacy Primer: Gramm-Leach-Bliley Act (GLBA)

GLBA, sometimes called the Financial Services Modernization Act of 1999, is a U.S. banking law that has important privacy and data security requirements for institutions that are subject to the law.  The law applies to “any institution the business of which is engaging in financial activities.”

GLBA’s primary purpose was to remove the barriers in the Glass-Steagall Act of 1933 and the Bank Holding Company Act that prevented organizations from functioning in any combination of a commercial bank, an investment bank, and an insurance company.  Nevertheless, concerns arose over the need to protect consumer information as institutions merged these traditionally separate functions, thereby aggregating massive amounts of customer data.  Therefore, GLBA provided for a Safeguards Rule and a Privacy Rule to help protect customer data.

First, the Safeguards Rule requires financial institutions to put in place administrative, technical, and physical safeguards to protect personal information.  This rule requires financial institutions to develop a comprehensive, written information security program that is appropriate for the size and scope of the institution and the sensitivity of the personal information at issue.  Institutions must specifically designate an employee or employees to coordinate this program.  The information security program must identify risks to the security, confidentiality, and integrity of personal information and implement controls to guard against those risks.  The rule also requires institutions to test and evaluate the controls they put in place and appropriately modify their information security program in light of the results.

Next, the Privacy Rule requires financial institutions to provide certain notices with regard to how they share information.  The rule distinguishes between consumers and customers.  For example, an individual who discloses nonpublic personal information on a loan application is a consumer of the institution under GLBA, regardless of whether the institution ultimately approves the loan.  If the institution approves the loan and extends the requested credit, thereby establishing an ongoing relationship with the individual, the individual becomes a customer of the institution.

Under the Privacy Rule, financial institutions must provide “clear and conspicuous” notice of their privacy policies in several situations.  They must provide notice to a consumer before they share any nonpublic personal information about that consumer to an unaffiliated third party.  They must provide notice to a customer no later than the time at which the customer relationship is established, and at least annually thereafter for as long as the customer relationship continues.

In general, these notices must describe the categories of nonpublic personal information the institution collects and shares with affiliated and nonaffiliated third parties and explain the right to opt out of certain disclosures.  With limited exceptions, an institution cannot share an individual’s nonpublic personal information with a nonaffiliated third party without providing the required notice and affording the individual a reasonable opportunity to exercise his or her opt out rights.  Additionally, if an institution revises its privacy policy to allow it to disclose nonpublic personal information that it did not disclose under the old policy, the institution must provide a new privacy notice and afford consumers a reasonable opportunity to opt out before disclosing their information.

GLBA disperses enforcement power across a number of agencies, depending on the institution at issue.  For example, the Board of Governors of the Federal Reserve System has enforcement authority over member banks of the Federal Reserve System, the Securities and Exchange Commission has enforcement authority over brokers and dealers, and the Board of the National Credit Union Administration has enforcement authority over federally insured credit unions.  The Federal Trade Commission has enforcement authority over any financial institution that is not specifically under the authority of any other agency.  State insurance regulators have enforcement authority over insurance providers domiciled in their state.  In addition, while the Consumer Financial Protection Bureau does not have explicit power to enforce the GLBA Safeguards Rule or Privacy Rule, it has used its general authority over unfair, deceptive, or abusive acts or practices to bring enforcement actions against regulated entities that fail to abide by those rules.

Tagged with: , ,
Posted in Legislation, Regulations

Case Update: Wakefield v. ViSalus, Inc.

A couple of months ago, I wrote about how a jury found multilevel marketing company ViSalus, Inc. responsible for making over 1.8 million robocalls in violation of the Telephone Consumer Protection Act.  Given the TCPA’s minimum statutory damages of $500 per call, ViSalus was looking at a minimum of $925 million in damages.  If those violations were found to be willful or knowing, however, damages could be tripled to nearly $2.8 billion, at the discretion of the court.

On Monday, June 24, however, U.S. District Court Judge Michael Simon denied plaintiff Lori Wakefield’s request for enhanced damages.  Judge Smith determined that the case did not call for an assessment of damages above the statutory minimum.  He pointed out that ViSalus did not have a history of TCPA violations and stopped making unlawful calls shortly after it was put on notice that it may be violating the law.  He ultimately determined that the statutory minimum award of $925 million “is sufficient to deter Defendant, and others, from committing future violations of the TCPA and that a further award of enhanced damages are not warranted.”

Although this ruling is certainly a win for ViSalus, it is likely not one that they will be enthusiastically celebrating.  As Judge Smith recognized, $925 million is a significant award.  The more critical issue for ViSalus is a pending post-trial motion to decertify the class, which could actually reduce the damages award if granted.  Coincidentally, the court’s ruling came out on the same day that the FTC announced that it would be cracking down on robocalls.  All in all, it was not a good day for robocallers.

Posted in TCPA

Senate Bill Seeks to Protect Health Information Gathered from Wearable Devices

I wear a fitness tracker.  I rarely take it off.  Throughout the course of the day, it collects a bevy of information about me: my heart rate, my exercise habits, the length and quality of my sleep.  When aggregated and observed over time, this information certainly reveals quite a bit of insight into my personal health.  Yet this health information is not Protected Health Information under HIPAA because the device manufacturer is not a HIPAA-regulated entity.

Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) recently introduced legislation that recognizes this issue.  The “Protecting Personal Health Data Act” seeks to “protect the personal health data of all Americans.”  It would apply to consumer devices, services, applications, and software that are primarily designed for or marketed to consumers and a substantial purpose of which is to collect personal health data.  This would include direct-to-consumer genetic testing services, wearable fitness trackers, and social media sites that are designed for users to share health conditions and experiences.

The proposed law directs the Secretary of Health and Human Services, in consultation with the Chairman of the Federal Trade Commission and others, to promulgate regulations to strengthen privacy and data security protections for personal health information that is collected by consumer devices.  In doing so, the Secretary would have to account for differences in the nature and sensitivity of the data collected or stored on the consumer device.  Not all personal health data is created equal.

Among other things, the Secretary would also have to consider (i) standards for consent related to the handling of genetic, biometric, and personal health data with potential exceptions for law enforcement, academic research, emergency medical treatment, or determining paternity, (ii) minimum security standards for collected personal health data, and (iii) standards for the de-identification of personal health data.  These standards would include limitations on transferring personal health data to third parties.  They would also include an individual’s right to withdraw consent and access and delete his or her personal health data.

The proposed law would also establish a National Task Force on Health Data Protection to:

(1) study the long-term effectiveness of de-identification methodologies for genetic and biometric data;

(2) evaluate and provide input on the development of security standards, including encryption standards and transfer protocols, for consumer devices, services, applications, and software;

(3) evaluate and provide input with respect to addressing cybersecurity risks and security concerns related to consumer devices, services, applications, and software;

(4) evaluate and provide input with respect to the privacy concerns and protection standards related to consumer and employee health data; and

(5) provide advice and consultation in establishing and disseminating resources to educate and advise consumers about the basics of genetics and direct-to-consumer genetic testing, and the risks, benefits, and limitations of such testing.

Under the bill, the Task Force would have one year to report its findings to Congress, after which the Secretary would have six months to promulgate appropriate regulations.  The bill has been referred to the Committee on Health, Education, Labor, and Pensions.

Tagged with: , ,
Posted in Data Security, Internet of Things

Pennsylvania County Faces Up To $67 Million In Damages For Distribution Of Criminal Record Information

Criminal Record Folder with GavelA suburban Philadelphia county is facing a judgment of up to $67 million after a Pennsylvania federal jury found that it violated the Pennsylvania Criminal History Record Information Act.

Pennsylvania’s Criminal History Record Information Act (“CHRIA”) governs the dissemination of records held by criminal justice agencies.  It requires criminal justice agencies to expunge criminal history record information under certain circumstances.  It also contains detailed restrictions on when a criminal justice agency can distribute criminal record information to agencies other than criminal justice agencies or to individuals.  It provides that any person “aggrieved by a violation” of CHRIA “shall be entitled to actual and real damages of not less than $100 for each violation” and “not less than $1,000 nor more than $10,000” for each willful violation.

The Plaintiff in the case alleged that he had been arrested by the Bensalem Police Department in September of 1998 and was subsequently processed through the Bucks County Correctional Facility (“BCCF”).  He then successfully completed a pre-trial rehabilitation program, which allowed him to file a petition for expungement under state law.  He filed that petition, and the court issued an order of expungement in January of 2000.

Nevertheless, in 2007 BCCF created a website that made available to the public criminal history record information, including mug shots and booking photos, of individuals who had been placed in BCCF after their arrest, going back some 70 years.  The information accessible on the website included information for individuals whose criminal records had later been expunged or whose charges had been dismissed.  Plaintiff’s information was accessible on the website.  Plaintiff alleged that a private business running websites named and was able to gather the information from the BCCF website and make it available on its own website for a fee, without the consent of the affected individual.

As a result, Plaintiff filed a class action complaint on his own behalf and on behalf of others whose records had been expunged, yet their information was published on the BCCF website.  He asserted claims under CHRIA against BCCF and the private websites.  He also asserted claims against the private websites for the unauthorized use of his name or likeness and for false light invasion of privacy.

Plaintiff’s claims against the private websites ultimately failed.  The Court dismissed the CHRIA and unauthorized use of name or likeness claims at the outset.  The Court ruled that CHRIA, by its terms, applied only to criminal justice agencies.  The websites, on the other hand, were private actors.  Therefore, the Court concluded, the websites could have no liability under CHRIA.  The Court also dismissed Plaintiff’s claim for unauthorized use of name or likeness, because Plaintiff failed to show that his name and likeness had “commercial value” as required under the relevant statute.  While the Court allowed Plaintiff’s claim against the websites for false light invasion of privacy to move past the motion to dismiss stage, it ruled in favor of the websites on that claim at summary judgment.  The Court ruled that Plaintiff had failed to produce evidence that the websites acted with actual knowledge or with reckless disregard for the falsity of the information about Plaintiff.  To the contrary, the Court found that the websites had no obvious reason to doubt that the information provided on the BCCF website did not include expunged information.

Consequently, the case moved forward only with respect to the CHRIA claim against BCCF.  The Court granted summary judgment in favor of Plaintiff on liability under CHRIA, finding that the distributed information was criminal record history information under “the unambiguous definition in CHRIA, Pennsylvania’s rules of statutory construction, relevant decisions by Pennsylvania courts, and the Attorney General’s CHRIA Handbook.”

Therefore, the only issues for trial were whether BCCF “willfully” violated CHRIA and to assess damages.  The jury ultimately found that the violations were willful under CHRIA.  It fixed punitive damages at the statutory minimum $1,000 per violation for the nearly 67,000 individuals whose records were unlawfully accessible on the website.  The potential $67 million verdict, however, is the ceiling.  The Court later will determine the exact number of class members who are eligible for the award.  The ultimate number is likely to decrease once deceased class members are removed from the equation.

Posted in Privacy

The Value Of Quickly Disclosing A Data Breach

HackedOne of the first questions a company must answer after it discovers and remediates a data breach is, “What do we tell our customers?”  Companies may delay publicly announcing a data breach out of fear that doing so will harm their reputation with customers, leading to a loss of business.  They may take an inordinate amount of time to make a public announcement, thinking their public statement must be “just right.”  This is backward and outdated thinking.  Rather, a quick public announcement of a data breach is an essential part of saving and rebuilding a company’s reputation after a data breach.

First, it is important to recognize that a company whose data systems have been breached is not in control of when the breach will be revealed to the public.  There are tools available for individuals to see if their email addresses, passwords, social security numbers, credit card numbers, and the like have been posted on the dark web.  There are cybersecurity companies and ethical hackers who are constantly on the lookout for information demonstrating a new data breach.  Not speaking publicly about the problem will not make it go away.  If a system has been compromised, that fact is going to become known sooner rather than later, regardless of whether the owner of the compromised system announces it.

Therefore, the compromised company needs to get ahead of things to control the narrative.  We oftentimes forget that a company that has been hacked is a victim.  A timely public announcement can help to remind the public of that fact.  An announcement that acknowledges the problem, provides a meaningful recourse for those affected, and emphasizes the company’s commitment to work with law enforcement can help to shift the focus toward those who invaded the company’s systems.  Delaying announcement until after a breach is already publicly discovered robs the company of the opportunity to frame itself as part of the solution rather than part of the problem.

Indeed, recent experience shows that the way a company responds to a breach is more likely to cause reputational harm than the breach itself.  As a general matter, the public accepts that data beaches are an unfortunate reality of the digital age despite best efforts to prevent them.  Moreover, given the number and size of data breaches over the past decade, many people are resigned to the fact that much of their personal data has already been compromised.  They want to know of any additional breaches so that they can remain vigilant and spot potential fraud when it occurs.  A timely announcement by the owner of the breached system gives them the information they need.  Unnecessary delay can lead them to believe that the company is not taking its customers’ interests seriously.

Posted in Data Breach

Jury Verdict in TCPA Case Puts Over $925 Million In Damages On The Table

On April 12, 2019, an Oregon federal jury returned a Friday evening verdict in a Telephone Consumer Protection Act (TCPA) class action that could put the defendant on the hook for $925 million in damages.

The TCPA makes it unlawful to make a telephone call to any cell phone or residential telephone line using an artificial or prerecorded voice without the prior express consent of the called party.  It provides a private right of action that subjects violators to actual damages or $500 for each violation, whichever is greater.  A court can award treble damages for any violation it determines to be willful or knowing.

The case of Wakefield v. ViSalus, Inc. started back in 2015 when plaintiff Lori Wakefield filed a class action complaint in the U.S. District Court for the District of Oregon against ViSalus, Inc.  ViSalus is a multilevel marketing company that markets weight loss products, dietary supplements, and energy drinks.  Ms. Wakefield alleged that ViSalus engaged in a marketing campaign that consisted of calling phone numbers that were on the Do Not Call Registry and placing robocalls initiated with a prerecorded message, both without prior express consent.  Eventually, Ms. Wakefield sought certification of three classes, a “Do Not Call Class,” a “Robocall Class,” and an “Oregon-Stop-Calling Class” based on alleged violations of state law.

In June of 2017, the Court certified the Robocall Class but denied certification of the Do Not Call Class and the Oregon-Stop-Calling Class.  With respect to the Do Not Call Class, the Court determined that Ms. Wakefield had not provided reliable evidence to show the number of potential class members.  With respect to the Oregon-Stop-Calling Class, the Court ruled that the claim did not involve common evidence across class members.  Therefore, only the claims with respect to the Robocall Class moved to trial.

After a 3-day trial that began on April 10, 2019, the jury returned its verdict.  The jury found that Ms. Wakefield proved that ViSalus made 4 calls to her in violation of the TCPA and 1,850,436 calls to class members in violation of the TCPA.  When asked to distinguish on the verdict sheet between how many of those calls were made to cell phones and how many were made to residential telephone lines, however, the jury wrote, “We cannot tell.”  Nor was the jury tasked with making a determination on damages.  Nevertheless, the number of calls and the $500 statutory damages per violation puts potential damages over $925 million, at minimum.

The verdict, however, is likely just the beginning of the next chapter in the case.  Defense counsel is likely to seize on the jury’s inability to distinguish between calls to cell phones and calls to residential landlines.  While the TCPA prohibits prerecorded voice calls to both, it does not prohibit prerecorded voice calls to business landlines.  Therefore, the jury’s statement of “We cannot tell” may give defense counsel an opening to argue that the jury based its verdict on mere speculation.  In any event, given the amount of damages at stake, an appeal appears inevitable.

Tagged with: , , ,
Posted in Litigation, TCPA

5 Ways in Which Your Company’s Privacy Policy is Insufficient

Well thought-out internal privacy policies and procedures are an essential part of any company’s information management program.  These internal policies should not be confused with a company’s external privacy notice, which informs the company’s customers as to how it may process, store, and share their personal data.  Rather, the company’s internal privacy policy sets forth company goals with respect to protected data and defines company procedures to ensure that those goals are met.  Here are five top ways in which such policies are deficient.

  1. The privacy policy isn’t properly documented

It goes without saying that a company’s privacy policies and procedures themselves should be written down and stored in an accessible location.  But all of the underlying information giving rise to those policies and procedures should be thoroughly documented as well.  This documentation should include a comprehensive description of the company’s systems, data, and data flows.  Documenting this information along with the privacy policy will make it easier to identify when the circumstances underlying the policy have changed so that the policy is in need of an update (See #2 below).  It will also ease any transition when new employees become responsible for the company’s information management program.  Spending extra time up front to thoroughly inventory, understand, and document company data will pay dividends down the road.

  1. The privacy policy hasn’t been appropriately updated

Businesses change over time.  A company may enter a new line of business in which it gathers a new category of customer data.  Or a company’s use of personal information may shift between aggressive and conservative over time.  For example, a company may see an opportunity to position itself as a privacy leader in its industry, or it may have to tighten up its data protection practices to minimize reputational harm after a data breach.  Such internal changes warrant a re-examination of the company’s privacy policy.

External changes happen as well.  New laws and regulations in the field of data privacy are a seemingly daily occurrence.  Businesses must account for these changes by appropriately revising their privacy policies.  Moreover, even if a business periodically updates its privacy policy when a new law or regulation is passed, it must occasionally look at its privacy policy more holistically to ensure that it is in accordance with the company’s goals and the regulatory scheme as a whole.

  1. There is one blanket policy that applies to all categories of data

Given the alphabet soup of laws that apply to privacy and data protection, a blanket privacy policy is often insufficient.  Privacy laws differ in their definitions of what constitutes protected information.  For example, a company may hold personally identifiable information under a state privacy law and also hold protected health information under HIPAA.  These different categories of data may require separate privacy policies.  Similarly, laws such as the GDPR categorize personal data separately from sensitive personal data with different grounds for processing each.  Therefore, privacy policies must separately account for and deal with all of the categories of data that a company processes and place appropriate procedures and safeguards around each.

  1. The policy does not appropriately limit defined user roles

Even where a privacy policy properly accounts for all categories of data within an organization, it still must ensure that only appropriate users and systems have access to that data.  Any privacy policy must therefore establish appropriate access barriers across departments and lines of business.  For example, while it may be appropriate to give a certain category of employee (e.g., managers) high-level access to company data within their department, it may not be appropriate to give that category of employee high-level access to company data across the organization.  The privacy policy must account for this by ensuring that employees only have the access to company data necessary to carry out their job functions.  While this adds a layer of complexity to the administration of user accounts and access rights, it is necessary to ensure that only those with a need to know have access to sensitive data.

  1. The policy hasn’t been adequately communicated to the workforce

Even the best-conceived and comprehensive privacy policy won’t do much good if it isn’t communicated throughout the organization.  Moreover, simply posting the company’s privacy policy on the company intranet or including it in an employee handbook may be insufficient.  Appropriate employees need training on the policy with refresher training as policies evolve.  Client or customer-facing employees in particular warrant special attention, as they have to be able to externally communicate the contours of the company’s privacy policies and procedures.  Regular internal communication about the company privacy policy also ensures that privacy is at the forefront of employees’ minds, rather than just an afterthought.

Developing a comprehensive internal company privacy policy and implementing procedures to put that policy into action is certainly not an easy task.  It requires input from multiple stakeholders and buy-in from all levels of the corporate structure.  Moreover, once a privacy policy is in place, it must be viewed as a living document that is regularly reviewed, analyzed, and updated.  Nevertheless, having a complete and updated policy in place is essential to protect your company and your customers’ data.

Tagged with: , , , , ,
Posted in Policies and Procedures, Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates


Cozen O’Connor Blogs