In our July 28, 2007 post, we discussed the Athens Affair - the widespread wiretapping of Greek officials' and others' mobile phones during the time of the 2004 Athens Olympics.  The role of the service provider in that illegal wiretapping has not been publicly and definitively determined, but now the Hellenic Authority for Information and Communication Security and Privacy (ADAE) has just fined Ericsson Hellas 7.36 million Euros (US $10.15 million) and the Greek unit of Vodafone 76 million Euro (US $104.9 million) in December 2006. It still is unclear why the wiretaps were set and who set them, but the service providers involved are paying the price. 

On August 27, 2007, New Zealand's Privacy Commissioner released draft guidelines that encourage businesses to voluntarily notify individuals of significant data breaches affecting their personal information.  The draft guidelines include a privacy breach checklist and a document outlining steps to take in response to breaches.  Whether notice should be given, and if so, the form of notice, depends on several factors in assessing risk of harm to an individual. The flexible approach of the guidelines stands in stark contrast to the U.S. inconsistent patchwork of mandatory requirements that have resulted in an ineffectual flood of notices to individuals.  The Privacy Commission is accepting comments on the recommendations until September 28, 2007.

On August 23, 2007, the United States Court of Appeals for the Seventh Circuit affirmed the lower court's dismissal of a class action alleging negligence against Old National Bancorp arising from a computer intrusion and theft of customer personal information.  The court determined that past and future credit monitoring services were not direct financial losses sufficient to prove damages. Further, plaintiffs did not allege that any member of the class had been the victim of identity theft as a result of the breach.  The Seventh Circuit decision is another in a long line of cases dismissing class action lawsuits based on security breach negligence claims.  The case is Pisciotta v. Old National Bancorp, 2007 WL 2389770 (7th Cir. 2007). 

On behalf of client Vonage Holdings Corp., Perkins Coie obtained complete dismissal of a purported class action anti-spam case filed against Vonage in California. The plaintiff, a recent law school graduate represented by Hagens Berman Sobol Shapiro LLP, sought damages and injunctive relief from Vonage in California state court on the theory that email advertisements for Vonage services sent from more than one domain name violated California's anti-spam law, Cal. Bus. & Prof. Code Section 17529.5, and Consumer Legal Remedies Act.

On October 4 - 5, 2007, Conference Co-Chair Kirk Soderquist and speakers Don Karl and Shaalu Mehra will join other leading industry professionals and practitioners discussing content, access and intellectual property issues, recent court decisions, financing, cross-border issues, the growth of casual games, M&A transactions and outsourcing agreements.

On July 27, 2007, the U.S. District Court for Massachusetts denied the Government's request for an order to obtain historical cell site information from a wireless carrier based upon the “specific and articulable facts” standard of Section 2703(d) of Title 18.  Instead, the court held, that for it to issue an order compelling a telecommunication service provider to disclose historical cell site information to federal law enforcement agents, the Government must establish probable cause, as consistent with the requirements of Rule 41 of the Federal Rules of Criminal Procedure - in other words, the law enforcement agency must obtain a search warrant.  Having chronicled the Magistrate's Revolt denying orders for prospective cell site information or tracking mobile phones on the “specific and articulable facts” standard of Section 2703(d), this is the first court to hold that probable cause is required for historical cell site information as well. The continued confusion in the courts and among service providers as to the proper standard for disclosure of location information underscores the need for legislative clarity.

The Office of the Privacy Commissioner of Canada has published guidance for organizations for notifying customers when a privacy breach occurs. A privacy breach is the result of an unauthorized access to or collection, use or disclosure of personal information in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA) or similar provincial privacy legislation.  The guidance is just that, guidance, and neither PIPEDA nor any other law in Canada currently requires notice for a breach.  However, it is expected that the guidance will serve as the basis for amending PIPEDA in the near future.  The Commission also published a checklist for organizations to use in evaluating the need to provide notice. The checklist is a handy outline of considerations for dealing with security breaches.

On September 17 - 18, 2007, Al Gidari will join attorneys, security and compliance professionals, and executives and managers serving information technology-dependent organizations in Seattle, Washington to compare experiences and information, and develop new strategies for addressing complex legal obligations and risks.  The event is sponsored by Microsoft Corporation and the University of Washington's Computer Science and Engineering Department have joined the Center for Information Assurance and Cybersecurity, the Shidler Center for Law, Commerce and Technology, and others. For registration, see: http://www.infosec-institute.org/ 

Two recent data disposal cases serve as a fresh reminder to businesses of the need to ensure that proper destruction protocols are in place as part of an overarching cradle-to-grave data protection program. Effective data protection programs must sufficiently address not only the initial collection, use and disclosure of personal information but also effective procedures to properly store or dispose of personal information once it is no longer needed.

The FTC appears to have taken an interest in exploring potential regulation of how businesses in the private sector use Social Security numbers (SSNs).  In tandem with the President's recently formed Identity Theft Task Force, the FTC recently requested public comment regarding the extent and purpose for current SSN use in the private sector, the role SSNs in identity theft, and whether there are feasible alternatives to using SSNs in the normal course of business.

Companies that rely on SSNs to conduct business should consider submitting comments to the FTC.  Comments are due September 5th, 2007.