BLOGS: Privacy and Data Protection

Wednesday, December 22, 2010, 12:13 PM

Sixth Circuit Finds Reasonable Expectation of Privacy in E-Mails Stored in or Sent through a Commercial ISP

The United States Court of Appeals for the Sixth Circuit has ruled that the government must obtain a search warrant to intercept and read e-mails. In U.S. v. Warshak, Case 08-3997, the Sixth Circuit addressed the right of a private individual to maintain private e-mail accounts free from warrantless searches and seizures. The case may have significant implications on business as, for the first time, a U.S. Federal Appeals Court held that the Constitution protects individual privacy rights in e-mails. Such rights may extend to e-mails managed by employers in certain situations.

The Court found that the e-mails of a suspect in a fraud investigation were protected by the Fourth Amendment because (1) the suspect had “plainly manifested” an expectation of privacy in his e-mails (shown in part through the damaging nature of the information obtained from the e-mails and (2) his expectation of privacy was “reasonable,” as e-mail is fundamentally similar to traditional protected forms of communication (like letters). Therefore, the Court held, the government violated the Fourth Amendment by accessing e-mails from his internet service provider (“ISP”) without a warrant.

The Court noted that a subscriber agreement between an ISP and a consumer could potentially be so broad as to “snuff out” a reasonable expectation of privacy if, for example, the ISP “expresses an intention to audit, inspect, and monitor” its customer’s e-mails. However, in the absence of such language, an ISP may not be compelled to turn over its subscribers’ e-mails. The Court noted that an ISP, as the intermediary facilitating e-mail transfer, does not have the same right to disclose this information as the recipient would.

This case has far-reaching implications for the treatment of e-mails by the courts. In Warshak, the government had claimed that, even if it had violated the Fourth Amendment in obtaining the e-mails, law enforcement agencies should be protected by relying on the Secured Communications Act (“SCA”), which permits compelling disclosure of electronic communications through an administrative subpoena or a court order. The Court found that, to the extent that the SCA purports to allow the government access to obtain e-mails stored in or sent through a commercial ISP from the ISP, the SCA is unconstitutional.

While this case does not address the right of an employer to access e-mails, through personal or corporate accounts, the implications of this decision are clear. It would be easy for a court to extend this decision to find that, absent clear language to the contrary, any expectation of an e-mail user of privacy in his or her e-mails is reasonable. In the future, employers and others with access to e-mail accounts of others may be prohibited from warrantless searches of their e-mails. As the Court held, “the mere ability of a third-party intermediary to access the contents of a communication cannot be sufficient to extinguish a reasonable expectation of privacy.”

Thursday, December 16, 2010, 3:50 PM

Privacy Bulletin: Issue No. 50

Congress Passes Red Flags Rule Legislation, Waiting for President’s Signature:

The U.S. Senate and U.S. House of Representatives have both passed amendments clarifying the definition of the term “creditor” under the Fair Credit Reporting Act. This legislation was introduced to limit the types of entities that are subject to the Federal Trade Commission’s identity theft prevention red flag rules. This legislation is awaiting President Obama’s signature.

Currently, the term “creditor” can be broadly interpreted to include many different types of entities and professions, such as attorneys. The legislation will limit the term “creditor” to mean those persons who meet the definition of creditor under the Equal Credit Opportunity Act and regularly and in the ordinary course of business: (i) obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; (ii) furnish information to consumer reporting agencies in connection with a credit transaction; or (iii) advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

In a press release dated December 8, 2010, FTC Chairman Jon Leibowitz said, “We’re pleased Congress clarified its law, which was clearly overbroad. Now, we can go forward with less litigating and more protecting consumers from identity theft.”

In connection with this controversy, the FTC delayed the effective date of the red flag rules, issued on November 9, 2007, several times. The rules are now to take effect December 31, 2010 (red flag rules). For complete text of legislation see

Senate Approves Legislation to Ban “Data Pass” to Third Party Post-Transaction Sellers:

On November 30, 2010, the U.S. Senate passed legislation that would render unlawful any post-transaction third party seller’s charge or attempt to charge a consumer’s credit card, debit card, or bank account for goods or services sold through the internet. There are exceptions to the prohibition: (i) before obtaining a consumer’s billing information, the post-transaction third party seller has clearly and conspicuously disclosed to the consumer all material terms of the transaction, including certain specific terms; and (ii) the post-transaction third party seller has received the express informed consent for the charge from the consumer whose credit card, debit card, bank account, or other financial account will be charged by certain specified methods. Senate Bill 3386, the “Restore Online Shoppers’ Confidence Act,” has passed to the House Committee on Energy and Commerce.

FCRA Credit Receipt Claim May Proceed Against the U.S. Government, says Federal Circuit Court:

The U.S. Court of Appeals for the Federal Circuit has allowed a claim of a violation of the Fair Credit Reporting Act by the United States government to proceed. In Bormes v. United States (Fed. Cir., No. 2009-1546, 11/16/2010), the plaintiff claims that the United States government failed to follow the Act’s requirements that a consumer’s credit card expiration date be redacted from appearing on a receipt. The plaintiff, an attorney, allegedly paid a client’s filing fees through the U.S. government’s system using a credit card. In so doing, the plaintiff alleges that the receipt for the payment of the filing displayed the card’s expiration date, in violation of the Fair Credit Reporting Act Section 1681c(g)(1).

Congress Holds Hearing on Feasibility of “Do-Not-Track” Legislation:

The U.S. House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection held a hearing entitled “Do-Not-Track Legislation: Is Now the Right Time?” on December 2, 2010. This hearing examined the feasibility of establishing a mechanism that provides internet users a method to opt-out from the tracking of their online activity by data-gathering firms. Among the witnesses were officials from the Federal Trade Commission and the Department of Commerce. Daniel Weitzner of the Commerce Department’s National Telecommunications and Information Administration included in his testimony that the Commerce Department will soon publish a series of policy ideas and questions in a “green paper.” He also stated that these policy ideas and questions “are intended to play a key role in [the Department’s] effort to close gaps in consumer protection, strengthen online trust, and bolster the internet economy.” His testimony also stated that “with or without legislation, Internet stakeholders suggested that the centerpiece of Internet privacy protection may be upgrading the role of voluntary but enforceable codes of conduct, developed through open, inclusive processes.” Director of the Bureau of Consumer Protection David Vladek, testifying on behalf of the Federal Trade Commission, relayed, among other things, the framework proposed by the FTC in its recent report to guide policy makers and industry to improve consumer online privacy protection. On the heels of this hearing, Microsoft® announced on December 8th that it would add a “do-not-track” feature to its Internet Explorer® software.

Members of Congress State Intent to Seek Privacy Legislation in the Next Congress:

Several Congressional Members have indicated their intent to seek internet privacy legislation, including Senator John Kerry (MA). In a press release dated December 1, 2010, Sen. Kerry stated that “during the process of drafting legislation, I’ve concluded that consumers should have three nonnegotiable rights. First, all firms must put procedures in place to secure personally identifiable information. Second, consumers have a right to know in clear and concise terms what firms intend to collect, why, and how it will be used. Third, consumers should be given a simple mechanism for opting out of the process.”

FTC Solicits Comments on Caller ID Services for Telemarketers:

The Federal Trade Commission issued an advance notice of proposed rulemaking on November 30, 2010, seeking comments on the provisions of the Telemarketing Sales Rule concerning caller identification services and disclosure of telemarketers’ identities for telemarketing calls.

Caller identification services provide a consumer the opportunity to know his or her caller. However, innovations in caller identification services have led to a telemarketer’s ability to shield its true identity and contact information from consumers. Telemarketers can use technology to allow them to transmit caller identification numbers that are not associated with their geographical location. Telemarketers can also use these technologies to display telephone numbers that lead to voicemail only or to display a number that is not in service. Telemarketers can also change their name in the caller identification display.

The FTC solicits comments on whether changes should be made to the Telemarketing Sales Rules to reflect the current use and capabilities of caller identification technologies and whether the Rules should be amended to better achieve the objectives of the caller identification provisions. The FTC’s press release regarding this ANPR states that the ANPR “does not put forward a specific plan for strengthening the Telemarketing Sales Rule’s Caller ID provisions. Instead, it provides information on how Caller ID services work, and explains how the benefits of Caller ID services are undermined when telemarketers use technology to block transmission of Caller ID, to transmit false information, or to transmit a telephone number or name that does not clearly identify the source of the call.” Comments are due January 28, 2011.

FTC Publishes Tips for Securing Data on Digital Copiers:

The FTC recently published a guide, Copier Data Security: A Guide for Businesses, which advises business how to secure sensitive data stored on digital copiers. The FTC’s press release announcing this new guide includes some helpful steps for ensuring data security that can be obtained in the guide (reprinted below):

  • Before acquiring a copier, plan to have the information technology staff manage and maintain it just as they would a computer or a server.
  • When buying or leasing a copier, evaluate your options for securing the data on its hard drive – including the encryption or overwriting features that will be used. Encryption scrambles the data on the hard drive so it can only be read by particular software. This ensures that even if the hard drive is removed from the machine, the data cannot be retrieved. Overwriting – also known as file wiping or shredding – replaces the existing data with random characters, so that the file cannot be easily reconstructed.
  • Take advantage of all of the copier’s security features. Securely overwrite the entire hard drive at least once a month.
  • When returning or disposing of a copier, find out whether it is possible to have the hard drive removed and destroyed, or to overwrite the data on the hard drive. Generally, it is advisable for a skilled technician to remove the hard drive to avoid the risk of rendering the machine inoperable.

Please see the FTC’s website for more information,

Congress Passes Social Security Number Protection Act:

On December 9, 2010, Congress passed legislation to further protect an individual’s social security number. The legislation will prohibit federal, state and local agencies from displaying a person’s social security number (or any derivative of that number) on a check issued by an agency. The legislation will also prohibit federal, state or local agencies from employing prisoners where the prisoner would have access to a person’s social security number. This legislation, the Social Security Number Protection Act of 2010, was sponsored by Senator Dianne Feinstein (CA). The bill now awaits President Obama’s signature.

Verizon Announces Plan to Issue Medical Credentials to Doctors, and Other Medical Professionals

Verizon announced on November 17th its plans to issue medical identity credentials to 2.3 million physicians, physicians’ assistants and nurse practitioners in the United States free of charge. In a press release, Verizon claimed that “this first-of-its kind step will enable U.S. health care professionals to meet federal requirements contained in the 2009 Health Information Technology and Clinical Health (HITECH) Act that call for the use of strong identity credentials when accessing and sharing patient information electronically beginning in mid-2011.” Verizon feels that with these credentials, “U.S. health care professionals will be able to receive digital health information via the Verizon Medical Data Exchange, using a secure, private inbox accessed from a new web-based physician portal.” Further, Verizon states that the credentials will enable these health care providers to access applications and programs such as electronic medical records and e-prescribing.

Consumer Group Advocates Improved Consumer Protections to Cloud Computing Service Providers

The Consumer Federation of America released a set of best practices for cloud computing services on November 30th, titled “Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America Retreat on Cloud Computing.” Cloud services can be incredibly useful for sharing information electronically. Consumers as well as businesses and governments already take advantage of cloud computing services, such as social networking sites and other remote servers that hold information and are accessed through the internet. However, cloud computing services can also create issues in the consumer protection and privacy arenas. Thus, according to its press release on November 30th, the Consumer Federation held a two day retreat over the summer with representatives from consumer and privacy organizations, academia, government and business from the United States and Europe in attendance and created a set of best practices for the cloud service provider industry. These best practices include, but are not limited to, the demonstration of operational safeguards and security mechanisms by cloud service providers and that cloud service users should be able to delete information the user uploaded to the cloud. These best practices are not mandatory but the Consumer Federation of America hopes that the cloud servicer provider industry will consider these practices in the future.

Friday, December 3, 2010, 3:00 PM

Privacy Bulletin: Issue No. 49

In the News

FTC Issues Preliminary Staff Report Regarding Consumer Privacy and Seeks Comments on Proposal by January 31, 2011: On December 1, 2010, the FTC proposed a framework for how companies that collect consumer data should protect consumers’ privacy. Entitled “Protecting Consumer Privacy in an Era of Rapid Change,” the proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share, or otherwise use consumer data that can be linked to a specific consumer, computer, or device. The proposed framework contains three components: (1) “privacy by design” pursuant to which companies would build privacy protections into their everyday business practices; (2) notice and choice to consumers about a company’s data practices in a simpler, more streamlined manner than has been done in the past; and (3) improved transparency of all data practices, including those of non-consumer facing businesses. The FTC has proposed various protections to implement each of these three components. As one example, with regard to consumer choice, the FTC has proposed “Do Not Track,” which would require companies to include a setting, similar to a cookie, on a consumer’s browser that would signal the consumer’s choices about being tracked and receiving targeted ads. The FTC seeks comments on the proposed framework and the protections contained therein by January 31, 2011.

House Energy and Commerce Committee Hold Privacy Hearing: On December 2, 2010, the House Energy and Commerce Committee held a hearing to address whether to write legislation to mandate a “Do Not Track” mechanism as discussed in the FTC report. The Commission testified about the “Do Not Track” option, which it called the “most practical way” to provide consumers with choices about online behavioral advertising. The Commission stressed that Do Not Track legislation, if enacted, should not “undermine the benefits online behavioral advertising provides consumers” or require maintenance of a distinct registry of users. The Commission also urged Congress to give it rulemaking authority and the ability to fine violators.

On a related issue, on the heels of the release of the FTC report, Senator John Kerry announced on December 1, 2010, that he would introduce privacy legislation in early 2011.

United Kingdom’s Information Commissioner’s Office Issues First Data Protection Fines: The Information Commissioner’s Office reports that it has issued its first data protection fines. Specifically, the U.K’s Information Commissioner’s Office has fined the Hertfordshire County Council 100,000 pounds for breaching the U.K. Data Protection Act. The Office also fined an employment service company 60,000 pounds for the loss of an encrypted laptop with personal information of 24,000 individuals who had used community legal advice centers.

FTC Names First Chief Technologist and New Executive Director: The Federal Trade Commission (“FTC”) has appointed Princeton University Professor Edward Felton as its first Chief Technologist, to advise the agency on new technologies and policy issues. Felton is a professor of computer science and public affairs and was the founding director of the Center for Information Technology Policy at Princeton University. He has also consulted with various agencies, including the FTC, where he currently consults. He will start full-time at his new position in January. The appointment has been widely applauded as the FTC enters a new era with an increasing number of high-profile technology cases.

The FTC also announced that Small Business Administration (“SBA”) Chief Operating Officer Eileen Harrington has been appointed to be the FTC’s Executive Director. An experienced choice, Harrington worked at the FTC for 25 years before her tenure at the SBA. While at the FTC, Herrington was awarded the Service to America Medal for leading in the creation of the National Do Not Call Registry in 2004.

White House Privacy Committee Releases Charter: The Subcommittee on Privacy and Internet Privacy, established by the National Science and Technology Counsel Committee on Technology released its charter earlier this month. The charter focused on three main deliverables: (i) a white paper examining information privacy in the Internet Age; (ii) Internet Privacy Principles, to be applied domestically and globally; and (iii) coordination of Statements of Administration Policy on privacy and Internet privacy. The Subcommittee, created October 24, 2010, is comprised of representatives from over 15 departments, agencies and federal offices and is co-chaired by Cameron Kerry, the General Counsel of the Department of Commerce, and Christopher Schroeder, Assistant U.S. Attorney General.

Facebook Announces Zero Tolerance Policy for Data Brokers: After discovering that a data broker paid application developers for Facebook users’ information, the social networking site announced it has a “zero tolerance” policy for data brokers. Facebook stated on its Developers Blog that data brokers “undermine the value that users have come to expect from Facebook.” Developers are prohibited from giving data from Facebook to data brokers, and Facebook also announced that it was suspending previous violators from accessing Facebook for 6 months. The policy announcement comes at the same time that Facebook has come under fire itself for a new feature, called “Friendship Pages.” The feature shares public information between “friends” to show the relationship histories between the users. Although the information is already public, some critics have claimed that Facebook should have notified all users of the new feature and given a clear opt-in or opt-out feature.

White House Issues Cloud Computing Guidance: On November 2, 2010, the White House issued “The Proposed Security Assessment and Authorization for U.S. Government Cloud Computing,” a document called the “product of 18 months of collaboration with state and local governments, private sector, NGOs, and academia” by U.S. Chief Information Officer Vivek Kundra. The proposal is intended to help government agencies utilize cloud computing by laying out security requirements that private contractors providing these services must meet. CIO Kundra asked for public comment on the proposal, and all comments are due December 2, 2010.

Homeland Security Committee Announces Cybersecurity Hearing: On November 17, 2010, the Homeland Security and Governmental Affairs Committee held a cybersecurity hearing entitled “Securing Critical Infrastructure in the Age of Stuxnet.” The hearing addressed the security implications of the Stuxnet worm and its potential impact on systems that run the U.S.’s infrastructure. Witnesses included Sean McGurk, acting director of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center; Michael J. Assante, president and CEO at the National Board of Information Security Examiners; Dean Turner, the director of the Global Intelligence Network at Symantec Corporation; and Mark W. Gandy, global manager of IT Security and Information Asset Management at Dow Corning Corporation. The hearing was held at 10:30 am at the Dirksen Senate Office Building, room SD-342. Live video of the hearing was made available by the Committee.

NLRB Says Firing Based on Facebook Posts Was Illegal: In a groundbreaking case, the National Labor Relations Board (“NLRB”) has issued a complaint claiming that a company’s firing of an employee who criticized her supervisor on Facebook was an unfair labor practice. This is the first time the labor board has argued that workers’ criticisms of their employers on a social networking site are protected. The NLRB issued the complaint against American Medical Response of Connecticut for firing medical technician Dawnmarie Souza after she called her supervisor a psychiatric patient and referred to the supervisor by derogatory terms on her Facebook page. The NLRB also alleged the company’s Internet policies, which prohibited employees from making disparaging, discriminatory, or defamatory comments about supervisors, co-workers, competitors or the company, were overly broad and interfered with employees’ right to engage in protected activities under Section 7 of the NLRA. A hearing is scheduled for January 25, 2011.

Upcoming Deadlines

FTC Red Flag Enforcement Begins January 1, 2011: In May 2010, the FTC once again extended the enforcement date of its Red Flags rule through December 31, 2010. The FTC has not issued a further extension. Therefore, by January 1, 2011, businesses that maintain covered accounts must have implemented a written identity theft prevention program that has been approved by the company’s board or an appropriate board committee. This enforcement deadline does not affect the enforcement of the “Red Flags Rule” already in place for financial institutions and creditors that are regulated by the federal bank regulatory agencies or the National Credit Union Administration.

GLBA Model Notice Must Be Used by January 1, 2011: Financial institutions regulated under the Gramm-Leach-Bliley Act (as amended by the Financial Services Regulatory Relief Act of 2006), must use the GLBA model privacy notice form if they want to obtain safe harbor protection under the GLBA privacy rules. The purpose of the form is to make privacy notices more transparent to consumers.

Privacy and Data Protection Team

The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

back to top