California Supreme Court Finds That Apple Is Not Prohibited From Obtaining Personal Identification Information for Online Purchases

iStock_000000162568SmallCourt Makes a Distinction between Brick-and-Mortar Transactions

by Peggy Reetz

 On February 4, 2013, the Supreme Court of California issued its decision in the Apple v. Krescent case.  In June 2011, David Krescent (the original plaintiff) sued Apple on behalf of himself and a putative class, alleging violations of California’s credit card act (The Song-Beverly Credit Card Act).  The Act prohibits retailers from requesting or requiring as a condition to accepting credit card as payment that the cardholder write any personal identification information upon the credit card transaction form; and, the Act prohibits retailers from writing the personal information on the transaction form.

Krescent alleged that he purchased media downloads from Apple on various occasions and that, as a condition of receiving these downloads, he was required to provide his telephone number and address.  Krescent also alleged that Apple records each customer’s personal information but Apple is not required to collect a customer’s telephone number or address in order to complete the credit card transaction.  Even if a credit card processing company requires a valid billing address, under no circumstances would a customer’s telephone number be required to complete the transaction, Mr. Krescent argued.

Apple filed a demurrer arguing that the Credit Card Act does not apply to online transactions and also argued that a decision otherwise would undermine identity theft and fraud prevention measures.  The trial court overruled the demurrer – “the Act itself is silent on exempting online credit card transactions… [the Court is] not prepared, at the pleading stage, to read the [Credit Card] Act as completely exempting online credit transactions…”

The Supreme Court reviewed various exceptions to the prohibition on collecting personal data: cash advances, contractual obligations, in order to prevent fraud/theft by collecting zip codes at a self-serve gas station, special purposes like shipping, installation.  The Court noted that the Act does not prohibit requiring a cardholder to show a reasonable form of ID, as a condition to accepting credit card payments.

The Court noted that the Act makes no reference to online transactions, or even the Internet (having been enacted as of 1990).  The Court stated that the text of the Act alone is not decisive.   At the time the language was enacted, the Legislature did not contemplate commercial transactions over the Internet.  The Court reviewed California appellate cases that dealt with whether shield laws apply to digital media; or whether an electronic signature was appropriate for an initiative petition.  But, rather than analogizing too closely to the “new media” versus “old media” cases, the Court returned to the history/purpose of the Credit Card Act.

While the Act is intended to protect consumer privacy, the Legislature did not intend to achieve privacy goals without regard to risks for fraud.  The Court reasoned that the fraud safeguards available to a brick-and-mortar retailer are not available to an online retailer (the shopkeeper can inspect the signature, photo ID, etc.)   The Court ruled that the key antifraud provision in the Act has no practical application to online transactions involving electronically downloadable products.  Krescent conceded that Apple may need a valid billing address, if not a telephone number, to verify the credit card.  The Court believed the Legislature expressly authorized retailers to request additional information—a driver’s license, state ID card, or other form of photo ID- in order to combat fraud.

In that regard, the Court found it appropriate for Apple to collect such information to combat fraud (disagreeing with one of the dissenting justices, the majority found that the legislative history addresses the concern that there be some mechanism for verifying a cardholder’s identity).  Ultimately, the majority found that the Act did not apply to online transactions.  The Court was forced to reconcile these findings with its earlier decision in Pineda v. Williams-Sonoma, which decision found ZIP codes constitute personal identification information.  The Court noted the legislature subsequently carved out exceptions to the collection of ZIP codes, if used for fraud prevention purposes (pay-at-the-pump transactions, for instance).

Finally, the Court noted that the California Legislature has weighed the goals of regulating online privacy with concerns unique to online commerce.  COPPA, the California Online Privacy Protection Act of 2003, requires online services or Web site operators to post privacy policies and for those policies to address which categories of information  the operator may collect.  The Court also cited to the TCPA, stating that federal law likewise is supposed to protect the privacy interests of consumers (do-not-call registry and the like).  The Court closed the decision with a recitation of how significant e-commerce has become since the enactment of these statutes and invited the Legislature to revisit the issue of consumer privacy and fraud prevention in online transactions (just as the Legislature did in response to the Pineda decision).

The decision is at:

http://appellatecases.courtinfo.ca.gov/search/case/mainCaseScreen.cfm?dist=0&doc_id=2002562&doc_no=S199384

iStock_000001249408XSmall

FTC Issues Report on Ways to Improve Mobile App Disclosures

smartphonelThe report, issued February 1st,  provides recommendations for the mobile marketplace, including operating system providers such as Amazon, Apple, BlackBerry, Google and Microsoft.  The report also addresses application developers, advertising networks, analytics companies and app developer trade associations.  The report describes that in the fourth quarter of 2012, consumers worldwide bought approximately 217 million smartphones.  Given such widespread use of the technology, the FTC staff notes that unprecedented amounts of data are being collected.  The FTC offers several suggestions for the “major participants” to improve mobile privacy disclosures.  The report recommends that mobile platforms should:

-Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;

-Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;

-Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;

-Consider developing icons to depict the transmission of user data;

-Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;

-Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores; and

-Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.

App developers should:

-Have a privacy policy and make sure it is easily accessible through the app stores;

-Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);

-Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used.

-Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising networks and other third parties should:

-Communicate with app developers so that the developers can provide truthful disclosures to consumers;

-Work with platforms to ensure effective implementation of DNT for mobile.

App developer trade associations, along with academics, usability experts and privacy researchers can:

-Develop short form disclosures for app developers;

-Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;

-Educate app developers on privacy issues.

The FTC also introduces Mobile App Developers: Start with Security, a new business guide that encourages developers to aim for reasonable data security, evaluate the app ecosystem before development, and includes tips such as making someone responsible for data security and taking stock of the data collected and maintained.

The FTC also announced a settlement with the operator of the Path social networking app.  The FTC alleged that the app deceived users by collecting personal information from their mobile device address books without their knowledge or consent.  The settlement requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.  The company also agreed to pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent.

See update from NYT — loophole allows Path to share location data even when a user has turned off location: http://bits.blogs.nytimes.com/2013/02/01/path-photos-location-loophole/

 

HHS Issues Final Omnibus Rule under HIPAA

HHS Issues Final Rule
Final Rule Keeps Tiered Penalties, Now Addresses “Subcontractors”

On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued a press release announcing the modifications to the HIPAA Privacy and Security rules. The HHS issued the final rule to:
-modify the HIPAA Privacy, Security and Enforcement Rules to implement statutory amendments under HITECH to strengthen privacy and security protection for individuals’ health information (applying Security Rule standards, certain Privacy Rules directly to business associates);
-modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under HITECH Act (access/disclosure of PHI not permitted is presumed a breach);
-modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing GINA provision (Genetic Information Nondiscrimination Act of 2008);
-make certain other modifications to the HIPAA Rules in order to improve effectiveness, flexibility.

The final rule is effective March 26, 2013 and covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013.

The regulations transform the relationship between covered entities and business associates, and, for the first time, regulates a new type of HIPAA entity: “subcontractors.” The rule replaces the  “harm” standard in breach notification rules with a four-step determination as to whether notification is required.

The rule clarifies when breaches of information must be reported to the Office for Civil Rights, sets new rules on the use of patient-identifiable information for marketing and fundraising, and expands direct liability under the law to the so-called “business associates” of hospitals and physicians and other “HIPAA-covered entities.” Those associates might include a provider’s healthcare data-miners and health information technology service providers.

Final modifications to the Privacy, Security and Enforcement Rules (per HITECH) include:
• Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
• Strengthen the limitations on the use and disclosure of protected health information without individual authorization.
• Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009 interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

The final rule adopts the tiered civil money penalty structure. This included the modified “reasonable cause” definition, i.e., the second tier of the penalties (knew/should have known with reasonable diligence of violation but not willful neglect). The HITECH tiered penalty scheme is as follows:

(1) for violations in which it is established that the covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, an amount not less than $100 or more than $50,000 for each violation;
(2) for a violation in which it is established that the violation was due to reasonable cause and not to willful neglect, an amount not less than $1000 or more than $50,000 for each violation;
(3) for a violation in which it is established that the violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation; and
(4) for a violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation; except that a penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year.

(Emphasis added).

In applying these amounts, HHS says it will not impose the maximum penalty amount in all cases but rather will determine the penalty amounts as required by the statute (i.e., based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors).

The final rule adopts the language that expressly designates as business associates: (1) a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.

HHS declined to provide a definition for Health Information Organization.

Data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates.

The official publication for the new rule is scheduled for January 25, 2013.

Class Action Suit Filed Against Barnes & Noble Over PIN, Credit Card Theft

Stacks

Barnes & Noble gets sued over PIN “skimming” scam

On October 27, 2012, plaintiff Elizabeth Nowak filed a putative class action against Barnes & Noble (“B&N”) arising out of the PIN pad tampering incident reported by the company as of October 23, 2012 (see press release of October 24, 2012:

www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html ).

In its press release, Barnes & Noble advised that it detected tampering with PIN pad devices used in 63 of its stores.  The tampering was limited to one compromised PIN pad in each of the affected stores.  The B&N statement says that criminals planted bugs in tampered PIN pad devices and that it disconnected all PIN pads from its stores, nationwide, by close of business September 14, 2012.  The press release further advised that the company notified federal law enforcement authorities and it was “supporting” the investigation.

In the complaint, filed in the USDC for the Northern District of Illinois, plaintiff alleges that B&N’s security failures enabled skimmers to steal financial data within B&N stores, allowing for unauthorized purchases and putting the class members’ financial information at serious and ongoing risk ( skimmers – a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money, see http://krebsonsecurity.com/all-about-skimmers/).  Plaintiff alleges that B&N failed to disclose the extent of the breach and failed to individually notify each affected customer.  Plaintiff asserts claims for breach of implied contract and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

The individual plaintiff, Nowak, states that she shopped at a B&N store in Illinois prior to September 14, 2012 and that at on at least one of these occasions, she swiped her debit card through one of the store’s PIN pad terminals.  While plaintiff alleges that B&N customers are subect to continuing damage from having their personal information compromised, the allegations do not contain any specific reference to plaintiff’s alleged loss or injury from identity theft, credit card fraud, or other specific costs related to card reissuance or credit monitoring.  Plaintiff alleges that B&N failed to directly notify individual customers and that B&N was aware of the problem for six weeks before making a public announcement about the scam.  Plaintiff further alleges that B&N failed to post signs in each of its affected stores to notify returning customers that their financial information may have been compromised (plaintiff does not allege a specific violation of any breach notification statute, although the Illinois statute does allow for substitute notice if the cost of providing notice would exceed $250,000 or the affected class exceeds 500,000 –  substitute notice would not have included posting signs in the stores to notify returning customers that their financial information may have been compromised; substitute notice would only be through email, conspicuous posting on the entity’s website or notification to statewide media).

The Connecticut AG is interested:

http://www.ct.gov/ag/cwp/view.asp?Q=512804&A=2341

See copy of lawsuit at:

Nowak v. Barnes & Noble

Inspector General – Medicare/Medicaid Tardy On Breach Notifications

In a bit of turn-about is fair play, HHS reveals that Centers for Medicare and Medicaid Services failed to meet the patient notification deadline under the HITECH breach notification rule.  The report also cited some stats on medical ID theft.  CMS has a database of Medicare ID and claim numbers that have been used or are suspected of having been used in ID theft.  As of February 2012, the database had in excess of 280,000 beneficiaries and 5,000 providers.  CMS is supposed to be tracking unusual billing activity and establishing scores to identify claims for review but guidance is lacking on how to use the database and identifying billing and medical ID fraud.

http://www.govinfosecurity.com/medicare-lags-on-breach-notification-a-5194

Eleventh Circuit Finds Cognizable Injury Following PHI/PII Breach

On September 5, 2012, the U.S. Court of Appeals for the 11th Circuit overruled, in part, a dismissal of a class action filed first in Florida state court (then removed to federal court), which action arose out of the theft of two unencrypted laptops (Resnick v. AvMed, No. 11-13694).  The laptops of AvMed, a managed care organization, contained protected health information and personally identifiable information for approximately 1.2 million current and former members.  Plaintiffs’ class action alleged that an unknown third party used the information for fraudulent purposes 10 to 14 months after the theft.  AvMed moved to dismiss the class complaint, which the district court granted on the grounds that plaintiffs failed to state a cognizable injury.  Specifically, the district court reasoned that plaintiffs sought to “predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft.”

The 11th Circuit found (after plaintiffs amended their complaint to include only parties alleging actual identity theft) that where plaintiffs allege they have become victims of identity theft and have suffered monetary damages as a result, this constitutes an injury in fact.  Next, the court looked at whether plaintiffs’ injury was fairly traceable to AvMed’s actions.  The court found that even a showing that a plaintiff’s injury is indirectly caused by a defendant’s actions satisfies the fairly traceable requirement and here, plaintiffs alleged that AvMed failed to secure their information, despite plaintiffs’ efforts at protecting their information and in light of the fact that they have become victims of ID theft.  The court found that under Florida law, plaintiffs’ allegations that they suffered monetary loss was a cognizable injury.

The court was also satisfied that the allegations sufficed to establish causation, citing to the 9th Circuit’s ruling in Stollenwerk v. Tri-West, 254 F. App’x 664 (9th Cir. 2007).  The court looked at whether there was a logical connection between events – the sensitive information on the stolen laptops was the same sensitive information used to steal their identities.  Given the facts pled, the 11th Circuit found a sufficient nexus between the lost laptop incident and the identity theft loss.  (The court found that the negligence, breach of contract, etc. claims could stand while the unjust enrichment claim would not).

The dissent found that the complaint should be dismissed for failure to state a claim because the complaint failed to allege a plausible basis for finding that AvMed caused plaintiffs to suffer identity theft.  The dissenting judge argued that it was equally plausible that the identity thieves obtained the information from other third parties, not as a result of the AvMed breach.

The decision may have an impact on how parties view the viability of a class action following a data breach.  The 11th Circuit noted this was the first such review of these issues before them – the ruling, however, may leave open what kind of damages suffice and how far from an incident an identity theft is plausibly related.

California Medical Breach Law – Damage Defense

Proper Safeguards May Allow for Damage Defense per New CA Law

On September 22, 2012, Governor Jerry Brown signed  a bill (A.B. 439) that allows defendants to use an affirmative defense to damage claims, where a HIPAA covered entity or business associate can establish certain actions or lack of harm.  The existing law, Confidentiality of Medication Information Act (CMIA), prohibits a health care provider, contractor or health care service plan from dislcosing medical information regarding a patient without first obtaining authorization.  The law allows an individual to bring an action against any person or entity who has negligently released records, also providing for statutory damages of $1,000 per record, i.e., nominal damages (no need to show actual damages).  The new bill, effective Jan. 1, 2013, specifies that, in an action brought by an individual, a court may not award the “nominal” damage where the defendant is entitled to an affirmative defense.  The affirmative defenses apply to HIPAA entities/business associates, who establish:  that there was notification compliance; that the release of information was to another covered entity/business associate; that the release of the confidential information was not medical ID theft; and, that the defendant took appropriate preventive measures (security policies, encryption, retention procedures, remedial measures).  Finally, if the affirmative defense is established, defendant shall not be liable for more than one judgment on the merits for releases of confidential informatoin arising out of the same event, transaction or occurrence.

“Sniffing” Does Not Violate Wiretap Act

                     

Sniff
Sniffing Technology Outpaces Legislation

The US District Court for the Northern District of Illinois (Judge Holderman) recently ruled that the interception of unencrypted, publicly available WiFi networks does not violate provisions of the federal Wiretap Act. In a decision involving admissibility of evidence, the court found that a party’s “intercept” fell within an exception to the Wiretap Act – allowing a person “to intercept or access an electronic communication made through an electronic communication system that is configured so that electronic communication is readily accessible to the general public.”

The issue arose in a a patent infringement case. Innovatio IP Ventures sued commercial users of wireless internet technology, such as hotels and coffee shops, for infringing its patents by making the technology available to their customers, as well as using the technology for managing internal processes. As discovery proceeded in the case, Innovatio used commercially-available WiFi network analyzers to collect information about the Wireless Network Users (hotels, restaurants, etc.) allegedly infringing networks. The process, known as “sniffing,” requires Innovatio’s technicians to enter the Users’ premises during business hours with a laptop and a packet capture adapter. The adapter can intercept data packets traveling wirelessly between the WiFi router provided by the Users and any devices that may be communicating with it.

Innovatio sought a ruling on the admissibility of the information it gained in the sniffing process. The court asked the parties to address the Wiretap Act issues. Rejecting both parties’ technical arguments (and experts),  the court focused on an exception to the Act. The Court distinguished this case from a ruling from the Google Street View litigation, by stating that the earlier ruling relied on accepting the premise that communications could only be intercepted using sophisticated technology. Basically, the court concluded that the technology continues to evolve faster than the court rulings and the legislation. The court noted that the public may still have some lack of awareness regarding the privacy of communications in a coffee shop setting, but that lack of awareness does not mean that parties utilizing technology to capture the communications are in violation of the Wiretap Act.

See, In Re Innovatio IP Ventures, LLC Patent Litigation, N.D.Ill., No. 1:11-cv-09308, Aug. 22, 2012