ABA Issues Outsourcing Ethics Opinion

Just yesteday, the ABA issued Ethics Opinion opinion 08-451 (not available online) dealing with the outsourcing of legal services. In brief, the Opinion permits outsourcing assuming both the attorney and the outsourcees adhere to certain standards of ethics and competence. See this ABA Journal article as well as this Daily Record article (subscription) for more.

Law Firm Suit For The Outsourcing of Litigation Support

The Annapolis, MD law firm of Newman McIntosh & Hennessey recently filed suit against a legal process outsourcer located in India. The case, filed in US District Court for DC, seeks a ruling from the court on the following question: “Given the pervasive nature of the signals intercept by the United StatesGovernment and UKUSA Allies, will the electronic transmission of data to foreign nationals residing overseas waive Fourth Amendment protections with respect to the data transmitted?” It appears that the law firm also submitted this question to the Ethics Committee of the DC Bar. See here for more info.

New Suits Target Information On Store Receipts

This National Law Journal article discusses a recent increase in suits against companies who are alledgely failing to comply with the Fair Credit Reporting Act (FACTA). One of the provisions of FACTA prohibits a company from printing more than the last 5 digits of a credit card number on the customer's receipt. According to the article, more than 300 class actions have been filed against a number of companies, including Toys "R" Us Inc. and AMC Entertainment Holdings.

FTC Announces Settlement With TJX, Lexis

The FTC agreed to settle charges with discount retailer TJX and data broker Reed Elsevier. The FTC had sued each of the companies for failing to adequately protect the security of consumer data. Both of the FTC's suits were brought under the unfair trade practices theory under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a). The TJX Complaint is available here; the Reed Elsevier Complaint is available here.

Patient Data Exposed Online

Today's Baltimore Sun reports on an incident involving Dental Network, a CareFirst BlueCross BlueShield dental HMO, in which the company accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public website. A Maryland Law (SB 194) enacted last year requires that businesses notify consumers of a breach of their personal information "as soon as reasonably practicable after the business discovers or is notified of the breach." In this case, it took 3 weeks before CareFirst notified customers of the breach.

Goal Financial Settles Charges Of Failing To Safeguard Sensitive Information

Student loan company Goal Financial LLC has agreed to settle with the FTC over charges that it failed to adequately safeguard sensitive customer information. The FTC's Complaint alleges a number of violations, including violations of the Commission’s Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, and the Commission’s Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313. Also see the Consent Order Agreement.

Annonymity On The Net

Is there a First Amendment right to speak annonymously on the internet? A recent California Appellate (Krinsky v. Doe 6) case holds that, under certain circumstances, there is. In that case, plaintiffs argued that the identity of a individual who posted "scathing verbal attacks" on an online message board against corporate officers of a Florida company should be exposed. Plaintiffs served a subpoena to have the identity of "Doe 6" disclosed but the request was denied.

Sears Sued For Failing To Adequately Protect Website

This Washington Post article reports on a class action suit against Sears for failing to adequately secure the personal information on its website managemyhome.com. The site's security vulnerabilities came to light after Ben Edelman pointed out the ease with which anyone could access the purchase history of the site's users. See here for a copy of the Complaint filed in Cook County, Illinois.

Google Not Required To Disclose Identity of Blogger

Google has no obligation to disclose the identity of a blogger who used Blogger.com to allegedly defame a Long Island school board member. Judge Marcy S. Friedman of the New York County Supreme Court called the blogger's statements opinions rather than actionable statements of fact. As such, there is no case for defamation and Google has no obligation to turn over the records. Greenbaum v. Google Inc. (N.Y. Sup. Ct., N.Y. County Oct. 23, 2007).

'07 Global Security Survey

Deloitte recently published it's annual review of the state of information security in the financial services industry. The survey includes data from 169 global financial institutions in 32 countries. Key findings include: companies are moving away from a sole focus on shoring up infrastructure against external breaches and are focusing instead on a a layered approach of preventative, detective and corrective controls; respondents identified access and identity management (50%) as their top operational initiative; generic countermeasures (encryption, access control, and network security) are proving inadequate at protecting on-line applications; and in an organization’s attempt to prevent security breaches, people remain the weakest link.

A Global Privacy Standard?

A senior executive at Google stated today that he agreed on the need for a basic set of global privacy protections. See this CNET article for more.

EU Data Transfer Regulations

U.S. companies transferring personal data from Europe to the U.S. must follow prescribed methods to protect data in accord with EU data privacy protection laws. Complying with this "adequacy requirement" means satisfying each European nation's data protection authorities. Binding Corporate Rules allow a company to design a single set of internal rules that work on their own data protection policies for intranet sites, databases and other electronic business tools that also comply with EU requirements. For more on this, see this article from the New York Law Journal.

Robot Exclusion Protocol

If you are concerned, as I am, about the privacy threats posed by Google's search bots, take a look at the following post from Paul Ford of Ftrain.com.

Executive Office of The President Not Subject To FOIA

This page on the White House website states "The Office of Administration, whose sole function is to advise and assist the President, and which has no substantial independent authority, is not subject to FOIA and related authorities."

Financial Privacy Legislation

The National Conference of State Legislatures provides this list of financial privacy legislation--both introduced and enacted--from all 50 states for the years 2000-2006. The list includes links to the full text of the legislation. The same site also provides a 50-state listing of security breach legislation.

Government Barred From Accessing Emails From ISP

In a recent 6th Circuit decision, Warshak v. United States (June 18, 2007), the Court ruled that email users have a reasonable expectation of privacy and thus barred the government from accessing emails from the Internet Service Provider of a criminal defendant.

House Committee Passes Social Security Privacy Legislation

In a press release, the House Ways and Means Committee stated "During the course of the 16 hearings conducted by the Subcommittee, numerous experts testified that the easy availability of Social Security numbers (SSNs) in the public and private sectors, combined with the number’s widespread use as an individual identifier, greatly facilitates the crime of identity theft. The bill would restrict the use of the SSN by government and business, to make it less accessible to identity thieves, while providing exceptions for legitimate and necessary uses of the number." Click here for a text of the bill.