Recently in Privacy Category
by Paul Overbee, UMN Law Student, MJLST Staff
In Volume 9, Issue 1 of the Minnesota Journal of Law, Science & Technology, Manish Kumar wrote a note titled Constitutionalizing E-Mail Privacy by Informational Access. The note used the reasoning of a Supreme Court case, Kyllo v. United States, to create a framework with which to analyze what constitutes a reasonable expectation of privacy in terms of an individual's e-mails. The test identified by Kumar was to ask whether the government has to employ special means not available to the public to access any allegedly private information. If the government is employing special means in the course of a search, then that search is subject to Fourth Amendment protections. The note continued by using that rationale as one way to assess e-mail privacy.
Legal inquiries such as those presented in Kumar's note are now receiving greater attention since the recent events involving Edward Snowden. Edward Snowden, a former National Security Agency employee, was involved in leaking documents that have detailed many of the National Security Agency's global surveillance practices. One aspect of these leaks detailed how the National Security Agency requires cell phone companies such as Verizon to collect metadata for all telephone conversations involving individuals from the United States. Since these metadata collections were made public, a number of lawsuits have challenged the constitutionality of the procedure as an unreasonable search and seizure under the Fourth Amendment.
This Fourth Amendment question has been dealt with in two distinct manners, each of which brings a separate conclusion. Judge Richard Leon of the U.S. District Court for the District of Colombia found that the technology used in gathering the metadata employed a special means not available to the public and thus constituted an unconstitutional search and seizure. Alternatively, Judge William Pauley III of the Southern District of New York found that these methods to do not implicate the Fourth Amendment.
This issue has already caught the attention of the general public, and it is no stretch to expect the Supreme Court to eventually hear these cases. The Pauley opinion and the Leon opinion both provide a good overview of the arguments available for both sides of the issue. Additionally, the court may look to the test from Kyllo v. United States to further guide their opinion.
by Jenny Warfield, UMN Law Student, MJLST Staff
On December 19th, 2013, Target announced that it fell victim to the second-largest security attack in US retail history. While initial reports showed the hack compromised only the credit and debit card information (including PIN numbers and CVV codes) of 40 million customers, recent findings revealed that the names, phone numbers, mailing addresses, and email addresses of 70 million shoppers between November 27 to December 15 had also been stolen.
As history has proved time and again, massive data security breaches lead to lawsuits. When Heartland Payment Systems (a payment card processing service for small and mid-sized businesses) had its information on 130 million credit and debit card holders exposed in a 2009 cyber-attack, it faced lawsuits by banks and credit card companies for the costs of replacing cards, extending branch hours, and refunding consumers for fraudulent transactions. These lawsuits have so far cost the company $140 million in settlements (with litigation ongoing). Similarly, when TJX Company (parent of T.J. Maxx) had its accounts hacked in 2007, it cost the company $256 million in settlements.
Target currently faces at least 15 lawsuits in state and federal court seeking class action status, and several other lawsuits by individuals across the country. Common themes by the claimants are that 1) Target failed to properly secure customer data (more specifically, that Target did not abide by Payment Card Industry Security Standards Council Data Security Standards "PCI DSS"); 2) Target failed to promptly notify customers of the security breach in violation of state notification statutes, preventing customers from taking steps to protect against fraud; 3) Target violated the Federal Stored Communications Act; 4) and Target breached its implied contracts with its customers.
A quick review of past data breach cases reveals that these plaintiffs face an uphill battle, especially in the class-action context. While financial institutions and credit card companies can point to pecuniary damages in the form of costs associated with card replacements and customer refunds for fraudulent transactions (as in the TJX and Heartland cases), the damages suffered by plaintiffs in these cases are usually speculative. Not only are customers almost always refunded for transactions they did not make, it is unclear how to value the loss of information like home addresses and phone numbers in the absence of evidence that such information has been used to the customer's detriment. As a result, almost all of the class action suits brought against companies in cyber-attacks have failed.
However, the causes of the cyber-attack on Target are still unclear, and it may be too early to speculate on Target's liability. Target is currently being investigated by the DOJ (and potentially the FTC) for its role in the data breach while also conducting its own investigation in partnership with the U.S. Secret Service. In any event, affected customers should take advantage of Target's year-long free credit monitoring while waiting for more facts to unfold.
by Ude Lu, UMN Law Student, MJLST Articles Editor
Target Corp., the second-largest retailer in the nation, announced to its customers on Dec 20, 2013 that its payment card data had been breached. About 40 million customers who shopped at Target between Nov. 27 and Dec. 15, 2013 using credit or debit cards are affected. The stolen information includes the customer's name, credit or debit card number, and the card's expiration date. [Update: The breach may have affected over 100 million customers, and additional kinds of information may have been disclosed.]
This data breach stirred public discussions about data security and privacy protections. Federal Trade (FTC) Commissioner Maureen Ohlhausen said on Jan. 6, during a Twitter chat, that this event highlights the need for consumer and business education on data security.
In the US, the FTC's privacy protection enforcement runs on a "broken promise" framework. This means the FTC will enforce privacy protection according to what a business entity promised to its customers. Privacy laws have increasing importance in wake of the information age.
Readers of this blog are encouraged to explore the following four articles published in MJLST, discussing privacy laws in various contexts:
- Constitutionalizing E-mail Privacy by Informational Access, by Manish Kumar. This article highlights the legal analyses of email privacy under the Fourth Amendment.
- It's the Autonomy, Stupid: Political Data-Mining and Voter Privacy in the Information Age, by Chris Evans. This article explores the unique threats to privacy protection posed by political data-mining.
- Privacy and Public Health in the Information Age: Electronic Health Records and the Minnesota Health Records Act, by Kari Bomash. This article examines the adequacy of the Minnesota Health Records Act (MHRA) that the state passed to meet then-Governor Pawlenty's 2015 mandate requiring every health care provider in Minnesota to have electronic health records.
- An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government, by Christopher Soghoian. This article explores how businesses vary in disclosing privacy information of their clients to governmental agencies.
by Erin Fleury, UMN Law Student, MJLST Staff
Last week, the Supreme Court denied a petition requesting a writ of mandamus to review a decision that ordered Verizon to turn over domestic phone records to the National Security Administration ("NSA") (denial available here). The petition alleged that the Foreign Intelligence Surveillance Court ("FISC") exceeded its authority because the production of these types of records was not "relevant to an authorized investigation . . . to obtain foreign intelligence information not concerning a United States person." 50 U.S.C. § 1861(b)(2)(A).
The Justice Department filed a brief with the Court that challenged the standing of a third party to request a writ of mandamus from the Supreme Court for a FISC decision. The concern, however, is that telecommunication companies do not adequately fight to protect their users' privacy concerns. This apprehension certainly seems justified considering the fact that no telecom provider has yet challenged the legality of an order to produce user data. Any motivation to fight these orders for data is further reduced by the fact that telecommunication companies can obtain statutory immunity to lawsuits by their customers based on turning over data to the NSA. 50 USC § 1885a. If third parties cannot ask a higher court to review a decision made by the FISC, then the users whose information is being given to the NSA may have their rights limited without any recourse short of legislative overhaul.
Unfortunately, like most denials for hearing, the Supreme Court did not provide its reasoning for denying the request. The question remains though; if the end users cannot object to these orders (and may not even be aware that their data was turned over in the first place), and the telecommunication companies have no reason to, is the system adequately protecting the privacy interests of individual citizens? Or can the FISC operate with impunity as long as the telecom carriers do not object?
by Greg Singer, UMN Law Student, MJLST Managing Editor
In the west, perhaps no right is held in higher regard than the freedom of speech. It is almost universally agreed that a person has the inherent right to speak their mind as he or she pleases, without fear of censorship or reprisal by the state. Yet for the more than 1.3 billion currently residing in what is one of the oldest civilizations on the planet, such a concept is either unknown or wholly unreflective of the reality they live in.
by Chris Evans, UMN Law Student, MJLST Managing Editor
In "It's the Autonomy, Stupid: Political Data-Mining and Voter Privacy in the Information Age," I wrote about the compilation and aggregation of voter data by political campaigns and how data-mining can upset the balance of power between voters and politicians. The Democratic and Republican data operations have evolved rapidly and quietly since my Note went to press, so I'd like to point out a couple of recent articles on data-mining in the 2012 campaign.
by Bryan Dooley, UMN Law Student, MJLST Staff
Most voters who use the internet frequently are probably aware of "tracking cookies," used to monitor online activity and target ads and other materials specifically to individual users. Many may not be aware, however, of the increasing sophistication of such measures and the increasing extent of their use, in combination with other "data-mining" techniques, in the political arena. In "It's the Autonomy, Stupid: Political Data-Mining and Voter Privacy in the Information Age," published in the Spring 2012 volume of the Minnesota Journal of Law, Science, & Technology, Chris Evans discusses the practice and its implications for personal privacy and voter autonomy.
by Jeremy So, UMN Law Student, MJLST Managing Editor
As China's Communist party prepares for its once-a-decade leadership transition, the news has instead been dominated by the fall from power of Bo Xilai, the former head of the Chongching Communist Party and formerly one of the party's potential leaders. While such a fall itself is unusual, the dialogue surrounding Bo's fall is also remarkable--Chinese commentators have been able to express their views while facing only light censorship.
by Eric Friske, UMN Law Student, MJLST Managing Editor
From one mouse click to the next, internet users knowingly and unknowingly leave a vast array of online data points that reveal something about those users' identities and preferences. These digital footprints are collected and exploited by websites, advertisers, researchers, and other parties for a multitude of commercial and non-commercial purposes. Despite growing awareness by users that their online activities do not simply evaporate into the ether, many people are unaware of the extent to which their actions may be visible, collected, or used without their knowledge.
by Mike Borchardt, UMN Law Student, MJLST Managing Editor
Recent announcements from Microsoft have helped to underscore the current conflict between internet privacy advocates and businesses which rely on online tracking and advertising to generate revenues. Microsoft recently announced that "Do Not Track" settings will be enabled by default in the next version of their web browser, Internet Explorer 10 (IE 10).
As explained by Omer Tene and Jules Polonetsky in their article in the Minnesota Journal of Law, Science & Technology 13.1, "To Track or 'Do not Track': Advancing Transparency and Individual Control in Online Behavioral Advertising," the amount and type of data web services and advertisers collect on users has developed as quickly as the internet itself. (For an excellent overview of various technologies used to track online behavior, and the variety of information they can obtain, see section II of their article). The success and ability of online services to supply their products free to users is heavily dependent on this data tracking and the advertising revenue it generates. Though many online services are dependent on this data collection in order to generate revenue, users and privacy advocates are suspicious about the amount of data being collected, how it is being used, and who has access.