ECPA NEEDS UPDATING TO KEEP UP WITH THE TIMES, SAYS COALITION
Individuals and businesses alike tend to rely on the theory that certain communications are private and not generally accessible by third parties. A crucial prop of this theory is the Electronic Communications Privacy Act (the “ECPA”) which protects electronic communications—whether from individuals or companies—from third-party access. The extent of the protection, however, varies based on whether the communications are in transit or are stored, and may be further complicated by whether the communications are stored internally or stored by a third-party services provider. While businesses may try to assert protections under the ECPA, courts have struggled to apply the ECPA to newer and ever-changing technology resulting in a patchwork of confusing legal standards. A coalition of companies and organizations (the “Coalition”) is lobbying to update the ECPA and improve protections afforded to electronic communications. Until they succeed, companies should be aware of the current limitations in the law as they push to outsource more of their data processing and communications functions.
EUROPEAN UNION ADOPTS NEW DEFAULT CONTRACT CLAUSES
EU privacy rules generally prevent data controllers within the EU from exporting personal data to data processors outside of the EU. The EU privacy rules, however, do allow data controllers to export personal data outside the EU if the data processor outside of the EU agrees to be subject to certain “standard clauses” approved by the European Commission. On February 5, 2010, the European Commission adopted a new set of standard clauses that are scheduled to take effect on May 15, 2010. Data controllers exporting personal data outside of the EU—including U.S. based companies operating within the EU— may continue to use the old clauses in relation to contracts executed before May 15, 2010. Starting on May 15, 2010 all such contracts should include the new standard clauses.
P2P’S CAN EXPOSE PRIVATE DATA
The FTC has notified over 100 companies that they were unintentionally leaking private data through Peer-to-Peer file sharing services (“P2P”). A P2P can be used to legitimately share files over the Internet, but if it is not configured correctly it can unintentionally make files containing personal or sensitive data available as well. The problem can be compounded if employees are installing and using unauthorized P2P services on the company network. Employers who have not implemented effective internet use policies governing the installation and use of internet based software, like P2P file sharing, may be putting the company's sensitive information and files at risk.
FTC FINES COMPANY $12 MILLION FOR VIOLATING DATA PROTECTION PROMISES
In March, the FTC announced a settlement with Lifelock, Inc. In the original complaint, the FTC enumerated seven separate violations of Section 5 of the FTC Act. Four of the violations related to statements about the effectiveness of the ID theft prevention services, but three of the violations related to statements about how the company protected each customer’s private data. At various times, Lifelock represented to its customers that personal data was (i) protected by reasonable and appropriate safeguards, (ii) encrypted, and (iii) only available to employees on a need-to-know basis. While the FTC alleged that Lifelock failed to implement reasonable security measures— like installing system patches, using strong passwords and assessing security risks—the crux of the allegations was centered on Lifelock not matching its promises to customers with its actions. Particularly notable was Lifelock’s claim that it used encryption to protect personal data when it did not.
The Lifelock settlement is a reminder that companies should compare their privacy policies and marketing statements against their actual privacy practices to avoid creating liabilities under the FTC Act.
If you have any comments or questions regarding this publication or would like additional information please contact one of the following attorneys:
This alert is a copyrighted publication produced by Oppenheimer Wolff & Donnelly LLP. The information contained in this alert is of a general nature and is subject to change. Readers should not act without further inquiry and/or consultation with legal counsel.