Privacy Bulletin: Issue No. 59

Twitter’s OPT-OUT Confirmations May Violate TCPA

A lawsuit was filed in a California federal court that claims that Twitter violated the Telephone Consumer Protection Act (TCPA). The plaintiffs in this case are asking for class action certification. The suit alleges a violation of the TCPA’s requirement that a consumer give express consent before commercial text messages are sent to a consumer’s phone. Plaintiffs allege that Twitter sent a confirmation text message to them in response to their text messages opting out of receiving further text messages from Twitter. The plaintiffs argue that Twitter’s confirmation message violated the TCPA because it was sent without the plaintiffs’ prior express consent. The plaintiffs argue that their request to opt out of any further text messaging from the defendants revoked any express consent given prior to the opt out. Text message confirmations of a request to opt out of receiving further text messages are relatively standard in the industry. In fact, the Mobile Marketing Association’s U.S. Consumer Best Practices recommends that a confirming message should be sent to the consumer.

These cases could have an impact on companies that use text messaging to communicate with consumers or as a marketing tool. A court resolution of these cases should provide valuable guidance to similarly situated firms in the future.

Senator Introduces Legislation regarding National Standard for Notifications of Data Security breach

The recent rash of security breaches, including those at Sony and Lockheed Martin, have helped to galvanize the focus of the U.S. government towards business practices regarding safeguarding consumer data and notifying the general public about data breaches. Senator Patrick Leahy, a Vermont Democrat, said in a statement: “The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”

Senator Leahy introduced a bill, known as the Personal Data Privacy and Security Act of 2011, which would set a national standard for notifying consumers of a data-breach. Senator Leahy summarized the legislation in his press release:

- Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the breach causes economic damage to consumers;

- A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security;

- An update to the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense; and

- A requirement that the government ensure sensitive data is protected when the government contracts with third-party contractors.

The current state of the law regarding data breach notification requirements is unclear and difficult to comply with because most states have a slightly different reporting requirement. Robert Holleyman, the president of the Business Software Alliance, urged Congress to pass “a single, national standard to replace the unwieldy state patchwork we have today.” The Business Software Alliance represents software makers.

Co-sponsors of this bill are Senator Chuck Schumer (D-NY), Senator Ben Cardin (D-MD) and Senator Al Franken (D-MN). We will continue to monitor the progress of this legislation through the halls of Congress.

Leahy Introduces Legislation Regarding Email Privacy

Senator Patrick Leahy (D-Vt.) also introduced legislation to update the Electronic Communications Privacy Act (ECPA), a key source of legal protection for email privacy. Leahy was the lead author of ECPA, which was enacted in 1986 to protect the privacy of American’s electronic communications. However, the electronic world has changed dramatically since the law’s enactment and the law may not adequately protect the privacy of individuals in this new world.

Senator Leahy’s bill would require a government agency to obtain a search warrant from a court any time it wants to read an email. Further, Senator Leahy states that this legislation:

- Includes new protections for Americans’ location information that is collected, used or stored by service providers, smartphones and other mobile technologies.

- Includes a provision to enhance the cybersecurity of U.S. computer networks, by allowing service providers to voluntarily disclose content to the government that is pertinent to addressing a cyber-attack involving their computer network.

- Improves law enforcement tools, including a provision to allow the government to temporarily delay notification of its access of stored electronic communications, if notification would endanger national security.

Data Breaches

In a new section of our Privacy Bulletin, we will provide information we’ve come across about recent data breaches. The following breaches have been publicized since our last Privacy Bulletin:

- Lockheed Martin confirmed that its information systems network had been attacked by hackers on May 21. The Company does not believe the breach, which was thwarted following detection, resulted in the release of any personally identifiable or other private information from its customers or employees. Lockheed is continuing to investigate the incident, which may be related to a data breach that occurred at RSA Systems in March.

- Hackers breached a European server belonging to the computer manufacturing company Acer the weekend of June 4th. The incident may have compromised the data of approximately 40,000 customers from its Packard Bell unit in Europe.

- In early June 2011, Citigroup announced that during routine monitoring it uncovered that the data of approximately one percent of its 21 million North American credit card customers had been breached. Citigroup noted that its customers' account information (such as name, account number and contact information, including email address) was accessed, but the customers' social security number, date of birth, card expiration date and card security code (CVV) were not compromised. Accordingly, Citigroup does not believe that the data breach revealed sufficient information to perpetrate fraud, but the company will monitor accounts and re-issue credit cards to affected customers.

- On June 8, the International Monetary Fund told staffers that the organization’s computer network was subject to a sophisticated cyberattack. As reported by the New York Times, which cited unnamed IMF officials in its discussion of the significance of the incident, the scope of the attack is still being investigated and its full ramifications are unknown. The IMF has not publicly announced details of the attack, but confirmed an investigation was underway.

- Honda Canada announced in May 2011 that hackers had accessed a Web server that held the 2009 information for about 280,000 of its customers. Officials at Honda said they detected the breach after noticing “an unusual volume of usage in the myHonda and myAcura Websites.” It has been reported that a class action lawsuit, seeking $200 million in damages against Honda was filed in Oshawa, Ontario.

Upcoming Deadlines

HIPAA Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act

Interested individuals may submit comments on the Department of Health and Human Services’ Notice of Proposed Rulemaking to modify the Health Insurance Portability and Accountability Act of 1996 Privacy Rules standard for accounting disclosures of protected health information by August 1, 2011 to http://www.regulations.gov/ (search for Proposed Rule). For Womble Carlyle’s coverage on this Notice of Proposed Rulemaking, please review our Client Alert.