Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Hulu Scores a Victory (at least temporarily) in Avoiding Class Certification

Posted in Class Action Litigation, Privacy Litigation

Written by Meredith Leary

Another important decision has been rendered in the ongoing In re: Hulu Privacy Litigation saga pending in the United States District Court for the Northern District of California, this time denying – without prejudice – the proposed certification of a class of Hulu users pursuing claims involving Hulu’s allegedly wrongful disclosure of “cookies.”  This class certification decision comes hot on the heels of the Hulu court’s denial of summary judgment in favor of Hulu back in April, when the court found there to be a material issue of fact on the issue of whether the disclosure of a video name tied to an identified Facebook user was a prohibited disclosure under the Video Privacy Protection Act, 18 U.S.C. §2710 (“VPPA”), which prohibits a “video tape service provider” from knowingly disclosing “personally identifiable information of a consumer of the provider” to third parties.

The key factual allegations in this case are as follows.  Plaintiffs allege that at all times relevant to their claims, Hulu included a Facebook “Like” button on the “watch” page of Hulu’s users, and that under certain circumstances, the code that loaded and operated this “Like” button caused the browser of the Hulu user to send to Facebook, among other things, a URL of the user’s watch page (which would indicate the name of the video that the Hulu user accessed) and under certain circumstances, a cookie called the “c_user” cookie that enabled Facebook to link information identifying the Hulu user with that Hulu user’s video choices.  But there was also an additional factual wrinkle, and one that ultimately proved critical to the Hulu court’s denial of plaintiffs’ proposed class: the c_user cookie would only be transmitted to Facebook if the Hulu user used the same computer and same browser to log into Facebook within the four previous weeks and selected Facebook’s “keep me logged in” option.  In addition, the c_user cookie would not be transmitted to Facebook if the Hulu user deleted, blocked or otherwise cleaned his or her cookies after using Facebook and prior to accessing Hulu. 

In denying class certification, the Hulu court concluded that the proposed class articulated by the plaintiffs satisfied the numerosity, commonality, typicality and adequacy of representation requirements for class certification but did not meet the class action prerequisites of ascertainability or predominance.  The Hulu court made quite clear, however, that it would willingly entertain the possibility of certifying subclasses of plaintiffs, and even mused, in dicta, about some possible subclasses for plaintiffs to consider exploring.

The Hulu court closely focused on the impact that individual practices of the proposed class members would necessarily have on the requirements of ascertainability and predominance.  For example, because Hulu users could only qualify as class members if they actually had their PII transmitted to Facebook (meaning that the user’s c_user cookie was sent by Hulu to Facebook), to meet the ascertainability requirement, the plaintiffs needed to (and did not) propose an adequate method of identifying a class of users who accessed Facebook within a month of using Hulu, checked the “keep me logged in” button, and did not clear cookies, either manually or otherwise.  The Hulu court specifically rejected the plaintiff’s suggested method of ascertaining class members through the combined use of broad notice and a self-reporting affidavit, noting concerns with both reliability of that data and the incentives inherent in a per-violation penalty of $2,500.  The Hulu court concluded that at least on the current record, it could not tell how potential class members reliably could establish by affidavit the answer to questions such as whether they looked at Facebook and Hulu from the same browser, whether they logged out of Facebook or whether the user’s cookies were cleared, manually or otherwise. Similarly, on the baseline class action requirement that common questions of fact or law “predominate” over questions affecting only individual class members, the Hulu court concluded that the plaintiffs’ main stumbling block was cookie clearing or cookie blocking, because the record was clear that if the c_user cookie was cleared, then it could not be transmitted to Facebook when the Like button was loaded.  After noting these potential challenges, the Hulu court again suggested the possibility of overcoming these hurdles through narrower subclasses, or through the use of reference to objective criteria or an approach to damages that abated the risk of undue pecuniary incentives.

In light of the Hulu court’s signaling of its willingness to consider subclasses or other approaches that would permit class certification, we would expect to see the plaintiffs try for another bite at the apple. We will be watching this closely, and will keep readers posted on any important developments as they unfold. 


Privacy Monday – June 30, 2014

Posted in Data Breach Notification, Privacy Monday, Privacy Regulation, Uncategorized

Not only the last Monday in June, but the last day of June.    There are quite a few privacy-related things taking effect tomorrow, July 1.   Some reminders:

Florida Amendments to Data Breach Notification Law

The Florida Information Protection Act of 2014 (“FIPA”) takes effect tomorrow.   The FIPA essentially repeals Florida’s existing data breach notification law and replaces it with one of the nation’s most extensive laws relating to data security and notification.

  • The definition of “personal information” now includes “a user name or e-mail in combination with a password or security question and answer that would permit access to an online account.
  • Notice must be provided within 30 days of the incident.
  • When a breach affects more than 500 Florida residents notice must be provided to the Attorney General’s office (see more below).
  • If you rely on Florida’s “risk of harm” exception to avoid providing notice, it will require that the entity investigate the incident, consult with federal, state or local law enforcement and report to the AG of such determination within 30 days.

The Attorney General notice requirement differs in a material way from the other states that have a regulatory reporting requirement.  The notice must contain information about “[a]ny services related to the breach to be offered or scheduled to be offered…”   Although the AG is specifically required to be notified of credit monitoring or identity theft services to be offered, most notices to consumers contain all the information required by FIPA.   Attention must be paid to the second requirement:   Upon request, the entity must provide: (1) “a police report, incident report, or computer forensics report”; (2) “a copy of the policies in place regarding breaches”; and (3) “steps that have been taken to rectify the breach.”    When launching into an investigation of a data breach, remember that attorney-client privilege is important when engaging with investigatory service providers who will create documentation such as “incident” reports or “computer forensics” reports.

Kentucky’s New Data Breach Notification Law

Kentucky became the 47th state to enact a data breach notification law.   Consult the latest version of the Mintz Matrix for the details of the Kentucky law (and all the other July 1 effective amendments).

Canada’s Anti-Spam Law

Canada’s draconian anti-spam law (known as CASL) goes into force tomorrow.   U.S. companies should have compliance programs in place and should have been carefully examining email lists to either obtain express consent or at least determining whether they could be subject to CASL.  Fines of up to CSD$10 million can be imposed under CASL and the Canadian Radio-Television and Telecommunications Commission has already announced its intention to enforce.  Take it seriously.


Happy Canada Day (July 1) to our Canadian readers and Happy Independence Day (July 4) to our US readers!







Wyndham Gets Life Preserver in Data Breach Case

Posted in Data Breach, Data Breach Notification, Federal Trade Commission, Privacy Litigation

Written by Adam Veness

New Jersey U.S. District Judge Esther Salas agreed to allow Wyndham Hotels and Resorts LLC to immediately appeal to the Third Circuit a ruling affirming the FTC’s authority to bring data security cases.  We have been following this case since the beginning, and you can see our last post here.

Judge Salas noted that businesses and consumers nationwide would benefit from appellate review of the issues.  In granting Wyndham’s motion for interlocutory review of her order refusing to dismiss the case, she certified to the Third Circuit the following two questions:

1) Whether the Federal Trade Commission can bring an unfairness claim involving data security under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); and

2) Whether the Federal Trade Commission must formally promulgate regulations before bringing its unfairness claim under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a). Continue Reading

SCOTUS to Police on Cellphone Searches: “Get a warrant”

Posted in Privacy Litigation

Finding that cellphones contain the “privacies of life”, the U.S. Supreme Court issued a broad endorsement of cell phone privacy, unanimously holding that law enforcement may not search digital information seized from an arrestee’s person without first obtaining a warrant.  The high court was persuaded by the massive quantity of evidence, distinct types of information and pervasiveness of use of cell phones, as well as the private and sensitive nature of information phones hold, ranging from the financial and medical to the intimate.  The court ruled in this way despite the undeniable impact it will have on law enforcement.  This ruling is likely to have wide-ranging effects, including on tablets, laptops and potentially other technology.

Mintz Levin’s Bridget Rohde analyzes the landmark Riley v. U.S. decision in a piece for Law360.   Read it here.


D’oh! OCR Confirms that Medical Records Should Not be Left in the Driveway

Posted in Data Breach, Data Breach Notification, HIPAA/HITECH

Written by  Dianne J. Bourque  (reprinted from Mintz Levin’s Health Law Policy Matters blog)

The most recent Office for Civil Rights (“OCR”) HIPAA enforcement action serves as an important reminder to health care providers of the security risks associated with a mishandled medical records custody transfer and the risks of leaving paper records in the driveway.  The enforcement action and ensuing settlement – an $800,000 fine and corrective action plan – was levied against Parkview Health System, Inc., (“Parkview”) a provider of community-based health care services.  In 2008, Parkview took custody of the paper medical records of 5,000 – 8,000 patients in connection with a physician’s retirement and in anticipation of purchasing some of the physician’s practice.  In 2009, perhaps after the transaction fell through, although the Parkview Resolution Agreementdoes not specify, Parkview left 71 boxes of these medical records unattended in the driveway of the physician’s home, and, according to OCR, within 20 feet of a public road and a short distance from a heavily trafficked public shopping area.Medical records custody transfers are extremely common in health care transactions such as asset purchases or sales, or when a health care provider is retiring or leaving a practice.  Medical records custody agreements ensure that records are maintained for legally required time periods to facilitate ongoing patient care, payment, audit, and other purposes.  Providers should take care to ensure that, in addition to retention and availability, custody arrangements ensure the ongoing security of medical records in any form.  Paper records should be secured in accordance with HIPAA standards, for example, stored in locked facility with physical safeguards consistent with HIPAA standards.  Storage in a retiring physician’s driveway, abandoned office space, public storage facility, or other unsecured physical location is inconsistent with HIPAA standards.  Records in electronic form must be protected in accordance with the HIPAA Security Rule.  Both the transferring and the recipient provider should carefully consider technical security measures, who will have electronic access to the records, and how that access will occur.  Failure to address these important considerations risks not only a breach but aggressive enforcement by OCR.

Massachusetts High Court Permits Compelled Decryption of Seized Digital Evidence

Posted in Privacy Litigation

Written by Matthew D. Levitt

Today, in Commonwealth v. Gelfgatt, No. SJC-11358 (Mass. June 25, 2014), a divided Massachusetts Supreme Judicial Court held that under certain circumstances, a court may compel a criminal defendant to provide the password to encrypted digital evidence seized by the government without violating either the Fifth Amendment or Article Twelve of the Massachusetts Declaration of Rights.  This is an interesting development in an emerging issue in the law that has yet to percolate its way to the United States Supreme Court. Moreover, as critical case evidence continues its migration from the physical to the digital realm, it is an issue we can expect to encounter with growing frequency, and is all but certain to eventually require resolution by the Supreme Court.

The Massachusetts high court’s decision hinged on the so-called “foregone conclusion” exception to the Fifth Amendment privilege against self-incrimination, which provides that an “act of production” is not testimonial “where the facts conveyed already are known to the government, such that the individual ‘adds little or nothing to the sum total of the Government’s information.’” Because the defendant, during his postarrest interview, had admitted his ownership and control over the seized computers, his knowledge of their encrypted files, and his knowledge of the password, the Court concluded that compelling him to provide that password “is only telling the government what it already knows.” Providing the password under such circumstances therefore was held not to violate the defendant’s privilege against self-incrimination under either the federal or state constitutions.

In a forceful dissent, two Justices disagreed with the Court’s opinion, stating that the compelled decryption was tantamount to forced self-incrimination.  Describing the potential sweep of the Court’s decision, the dissent stated as follows: “The court holds today that the defendant … may be ordered to enter decryption keys sequentially on each and every electronic device seized from his home, his home office, and his automobile, in order to provide law enforcement officers with unencrypted access to those devices.”

The true scope of the Court’s holding, however, may not become clear until trial courts begin applying it under various factual scenarios, and those applications are tested in the appeals courts. For now, all that is clear is that under certain circumstances, even industrial-strength encryption may not place digital files beyond the government’s reach.

Privacy Monday – June 23, 2014

Posted in Cybersecurity, Data Breach, Data Compliance & Security, Privacy Monday

DC Update from Politico Morning Tech

“DATA BREACH DRAFT DELAYED – The thorny issue of FTC enforcement has slowed efforts to release a draft of Rep. Lee Terry’s data breach bill, according to sources close to the process. Terry had hoped to release the draft he’s been working on with Democrats John Dingell and Peter Welch after a Friday briefing with staff aimed at ironing out some final sticking points, but didn’t get the consensus he’d hoped for. Republicans have historically bulked at handing over too much control to the consumer protection agency, which is angling for more authority to combat the rising threat of data theft. Democrats have tended to side with the FTC on the matter, although some insist any power shift does not weaken state laws.”

More than a Wash and a Wax

This story caught my eye, since I just drove through a car wash yesterday, using my credit card.   If you have also done that lately, you should check your credit card statements.   Brian Krebs of Krebs on Security — the security blogger who broke the stories of the Target and Neiman Marcus data breaches — has done another fascinating inside look at an ongoing set of data breaches.  Read Krebs’ latest here.

There are several important takeaways from this:

(1) if you are running point-of-sale (POS) software (and you need not be a “retailer” to be running such software), when is the last time that you updated it?  Your POS is connected to the Internet and can be an open hole, exposing your customers’ credit card information the moment that card is swiped.

(2)  How do you (or your vendors) access that POS?    In the Krebs article, the POS software could be accessed using pcAnywhere – and old versions at that.   We have worked on many breaches that used exactly this method for POS access either remotely by the store owner or for vendor support.   That access is a “back door” that can also be easily hacked.

(3) Are you still running Windows XP?   Time to upgrade….really.

If you fail to take the proper actions to keep systems up-to-date, and you experience a data breach, you may find yourself without insurance coverage and a defendant in a lawsuit.



Five Lessons from OCR’s Report to Congress on Breaches and HIPAA Rules Compliance

Posted in Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH, Privacy Regulation, Security

Written by Stephanie D. Willis and Dianne J. Bourque (republished from Mintz Levin’s Health Law Policy Matters blog)


Last week, the HHS Office of Civil Rights (OCR) released two reports required by the Health Information Technology for Economic and Clinical Health (HITECH) Act: (i) the Annual Report to Congress on Breaches of Unsecured Protected Information (Breach Report); and (ii) the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance (Compliance Report). In reviewing the Breach and Compliance Reports, Chief Information Officers, compliance and privacy officers, and information security professionals in the health care field should note five key lessons:

1) Know Where Your Organization’s Protected Health Information (PHI) is Primarily Stored and Invest in the Right Protection

The statistics in both reports clearly show that the most breaches still come from “older” sources of PHI, such as paper records, desktop computers, and network servers. The Breach Report states that 225 out of the 458 total reports of breaches (or 49%) affecting 500 or more individuals involved these PHI sources in 2011 and 2012. In fact, the largest breach occurring in the two-year period covered by the Breach Report involved a TRICARE contractor’s loss of back-up tapes that affected a total of approximately 4.9 million individuals.

In addition to updating and monitoring security protocols for older PHI sources, covered entities should address security problems with newer storage media. For instance, the Breach Report documents a large jump in the number of breaches involving laptop computers with a corresponding increase in affected individuals between 2011 and 2012: from 48 reports affecting 437,770 individuals in 2011 to 60 reports affecting 654,158 individuals. Because theft was the primary cause of breaches in 2009-2012, ensuring that laptops and other portable electronic devices are secured in accordance with standards acceptable under HIPAA will become even more important as organizations adopt more “bring your own device” policies to ensure the mobility and convenience of health care delivery. Continue Reading

Round Two for Snapchat: Agreement with the Maryland Attorney General Settling Claims of Consumer Deception and COPPA Violations

Posted in Children, Privacy Regulation

Written by Julia Siripurapu, CIPP

Just a little over a month after settling charges of false promises of disappearing user messages (among other things) with the Federal Trade Commission (“FTC”), mobile app developer Snapchat, Inc. (“Snapchat” or “Company”) announced (blog post) that on June 12th  the Company entered into an agreement with the Office of Maryland Attorney General Douglas Gansler to resolve similar claims of consumer deception as well as additional allegations of failure to comply with the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (as amended, the “COPPA Rule”). Continue Reading