Top Privacy Issues 2005

February 9, 2006

1.         A report in the New York Times in late 2005 that domestic spying by the National Security Agency (NSA) had been ongoing since 2002 has placed the Bush Administration on the defensive.  In 2002, President Bush issued an executive order which authorized the NSA to conduct warrantless phone-taps of persons who were believed to be linked to known terrorism groups. The complete details of this authorization are still not fully known. The NSA maintained wiretaps on international communications, including those that included U.S. participants, without first obtaining a court order permitting such wiretaps. Such spying on U.S. persons without the approval of the United States Foreign Intelligence Surveillance Court is believed by many legal experts to be barred under the 1978 Foreign Intelligence Surveillance Act (FISA).  President Bush and his administration have vigorously defended the practice, and the Justice Department has steadfastly maintained that the wiretapping was legally conducted.  In January, 2006, the Center for Constitutional Rights (CCR) filed a lawsuit against President George W. Bush , the head of the NSA, and the heads of the other major security agencies, challenging the NSA’s surveillance of persons within the United States without judicial approval or statutory authorization. The suit seeks an injunction that would prohibit the government from conducting warrantless surveillance of communications in the U.S.   CCR filed the suit on its own behalf and on behalf of CCR attorneys and legal staff representing clients who fit the criteria described by the Attorney General for targeting under the NSA Surveillance Program.  Additionally, a civil liberties group has sued AT&T for its alleged role in helping the National Security Agency spy on the phone calls and other communications of U.S. citizens without warrants.  The class-action lawsuit, filed in U.S. District Court in San Francisco by the Electronic Frontier Foundation, seeks to stop the surveillance program that started shortly after the 2001 terrorist attacks. It also seeks billions of dollars in damages.  The EFF claims AT&T not only provided direct access to its network that carries voice and data communications, but also to its massive databases of stored telephone and Internet records that are updated constantly.

2.         Microsoft Corp. announced that it would support national Internet privacy legislation. Microsoft Corp. joined a growing group of major high-tech companies that support the creation of robust federal rules to protect citizens' privacy rights online. With companies like Microsoft, Hewlett Packard and eBay aligning themselves with public interest advocates in the call for stronger privacy protections, momentum is now clearly on the side of those advocating for a robust new federal law. 

3.         The USA PATRIOT Act was set to expire December 31, 2005 .  The US Congress was unable to agree upon the terms of its renewal prior to its expiration date, and instead passed a temporary renewal of the Act.  The House of Representatives balked at a Senate plan to extend the Act by six months to give Congress and President Bush more time to work out their differences, instead forcing the Senate and the administration to accept a one-month extension.  A second five week extension will expire on March 10, 2006.

The USA PATRIOT Act is an anti-terrorism law enacted by Congress within a month after the September 11, 2001 attacks on the World Trade Center and the Pentagon.  It contains expanded law enforcement powers that are intended to assist the government in fighting terrorism.  Since its enactment, civil libertarians and privacy rights groups have attacked various provisions of the law as overreaching and in violation of the U.S. Constitution.  The Bush administration wants to renew the bill and to provide additional authority to law enforcement.  However, the administration could not garner enough votes to pass its version of the renewal because members of Congress, particularly the House of Representatives, are sympathetic to the oppositions’ concerns.  Negotiations between the White House and Congress continue.

4.         The company that operates the popular online search engine, Google, Inc., has chosen to fight the Justice Department in connection with its request that it turn over records it maintains of searches by its users.  The government requested this information in connection with its efforts to enforce an online child pornography law that has faced repeated legal challenges, resulting in a ruling by the Supreme Court two years ago blocking the law’s enforcement.  Google has been refusing the request since a subpoena was first issued last August. Google asserts that the request is unnecessary, overly broad, would be onerous to comply with, would jeopardize its trade secrets and could expose identifying information about its users.  The Justice Department has challenged Google’s response in federal court in an action in which it asks the judge to order Google to turn over the records.  A ruling is expected before the end of February, 2006.

5.         After the highly publicized series of data security breaches that occurred in a short period of time in the spring and summer of 2005, it was expected that the US Congress would enact data security protection legislation before year end.  However, despite the introduction in Congress of multiple bills intended to address consumer data security, it does not appear that federal legislation will be passed until March, 2006 at the earliest.  In the meantime, during the period between December 1, 2005 and March 1, 2006 , twelve new state data security laws will go into effect.  In all, 21 states have followed the lead of California by enacting security breach notification laws over the past year.  While there are a lot of similarities among the state laws, there are sufficient differences to provide challenges to compliance.  Like the federal Gramm-Leach-Bliley Act, enacted in 1999, these laws require businesses to keep consumer data secure, but the state laws also require these businesses to notify individuals of breaches of security.  It is expected that due to the lack of speed with which Congress is approaching this issue, more states will have enacted similar data security legislation before a federal law is enacted.  Unfortunately, at that point it will be necessary to deal with potentially conflicting federal and state legislation.

6.         A Federal Trade Commission report, released in December, says that more must be done to fight unsolicited bulk e-mail. The report, entitled “Effectiveness and Enforcement of the CAN SPAM Act” reviews the two-year-old antispam law and outlines new challenges. It also advocates additional legislation in order to give the FTC increased powers in order to go after international spammers.

7.         In September, 2005, a U.S. District Court ruled that a man who alleged that a police officer searched a state license plate database to obtain his personal information for improper non-law enforcement reasons was entitled to have his claim under the Driver’s Privacy Protection Act (“DPPA”) heard by a jury.  DPPA was passed by Congress to limit the release of personal driver information contained in motor vehicle records.  According to the federal court, police department policy prohibits the disclosure of nonpublic personal information by the Department of Motor Vehicles, a policy of which the defendant police officer was aware.  The court held that DPPA protects not only against the wrongful dissemination of private information, but also against the wrongful acquisition of that information, and permitted the case to be heard by a jury.

8.         Also in September, 2005, a federal court ordered a permanent halt to an operation that used spam to make false claims for human growth hormone products and diet patches that did not provide the results claimed.  The FTC filed legal charges against an Australian company that the FTC alleged was responsible for a large amount of spam in the U.S.   The court ordered the company to disgorge over $2,000,000 in what it classified as ill-gotten profits.

9.         A potentially significant case to watch involves ChoicePoint, Inc.  ChoicePoint is one of the U.S. companies that suffered a security breach early in 2005.  It is a data warehousing corporation and provides personal consumer information to businesses for a fee.  Thieves posing as small businesses were able to obtain access to the personal information of more than 145,000 of its files.  To date, at least 750 people were the victims of fraud arising out of this data security breach.  A class action lawsuit was filed in California on behalf of all of the consumers whose information was disclosed.  The suit seeks to prevent similar disclosures in the future and to recover damages.  Its stated claims include common law negligence, noncompliance by ChoicePoint with the federal Fair Credit Reporting Act; a claim based upon ChoicePoint’s violation of the California Consumer Reporting Agencies Act, and claims based upon a violation of the plaintiffs’ privacy rights.  The plaintiffs seek compensatory damages, statutory damages that could run $145,000 million, and punitive damages.

Additionally, ChoicePoint recently settled data security breach charges brought by the Federal Trade Commission arising out of the same security breach.  It has agreed to pay $10 million in civil penalties and $5 million in consumer redress, and is required to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, as well as a comprehensive information security program.  It is also required to obtain audits by an independent third-party security professional every other year until 2026.

10.        California continues to be the most proactive state on privacy protection issues.  Federal courts have wrestled with the issue of whether the provisions of the federal Fair Credit Reporting Act preempt conflicting provisions of contained in the affiliate customer information sharing restrictions of the California Financial Information Privacy Act (SB1).  The net result of the decisions was a victory for affiliated companies that make a practice of sharing customer information.  These companies are not subject to SB1 requirement that they provide customers with notice and the opportunity to opt out of the sharing of any information with their affiliates.  The ability to share applies to the following types of information:  1) consumer report information, including credit scores, as well as application information used for eligibility purposes; 2) transaction and experience information, whether or not it is used for “eligibility purposes;” and 3) other information that is neither consumer report information nor transaction and experience information, such as demographic information which cannot and is not used for eligibility purposes.  Institutions must still comply with the Fair Credit Reporting Act’s notice and opt-out requirements for sharing consumer report information.



Additional Documents: