The best argument for why companies should never simply copy and paste the text of another entities’ privacy policy onto their own website can be found in the recent announcement by the FTC of a settlement reached with Snapchat – relating to misrepresentations contained in the Privacy Policy, among other things. (Snapchat is not alleged to have used someone else’s Privacy Policy as its own; however, its mistakes in its public statements about its products illustrate fully that companies should say what they mean, and mean what they say in their privacy policies!) Continue reading
Data Breach Planning for Small Businesses
Many of the top stories last year related to data breach – from the Target breach during the Christmas Shopping Season (Dec. 2013: Prior Post, Small Business Magazine article; additional news coverage) to the UPS Store data breach during the summer (Aug. 21, 2014) to, more recently, the intentional hacking of Sony Pictures‘ servers (Nov. 24, 2014) and Staples’ data breach (Dec. 19, 2014).
It would be easy to believe that data security breaches happen only to large organizations, but such a belief would be mistaken. In the last year, a number of smaller companies have experienced breaches of the records they maintain. These can occur in at least two ways – 1) they may be the third-party vendor through whom hackers invade a larger company like Target or Home Depot; or 2) they use a third-party vendor who experiences a breach that impacts the smaller company’s customers. Continue reading
LinkedIn Sued for Providing “Trusted References” to Paying Subscribers
On October 9, 2014, a class action complaint was filed in the U.S. District Court for the Northern District of California alleging that LinkedIn violated the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., (“FRCA“) by offering to subscribers reports containing “Trusted References” without complying with the FCRA’s requirements to keep the data safe from disclosure. Sweet v. LinkedIn Corp., Civ. A. No. 5:14-cv-04531 (N.D. Cal. filed Oct. 9, 2014) (available at Law360 – subscription required).
Specifically, the complaint alleges that LinkedIn: 1) failed to comply with the certification and disclosure requirements of the FRCA for credit reporting agencies who furnish consumer reports for employment purposes; 2) failed to maintain reasonable procedures to limit the furnishing of consumer reports for the purposes enumerated in the FRCA and to assure the maximum possible accuracy of these reports; and 3) failed to provide the notices required by the FRCA to users of the consumer reports. Id. at 2. Plaintiffs seek both damages for past violations and injunctive relief to prevent the continued misuse of these reports in violation of the FRCA. Id. Continue reading
Moving to WordPress
I am very pleased to announce that The Privacy and IP Law Blog has moved to WordPress, and to a dedicated domain – PrivacyandIPLawBlog.com! The blog will operate on both the Blogspot.com location and on the new location for a few months while all the kinks are worked out. Ultimately, the RSS Feed and subscriber links will also move to WordPress.
Why the switch?
Continue reading
Is Your Company Subject to Laws Regulating Safe Destruction of Documents?
Many companies have document retention policies – in other words, policies determining how long they will keep certain kinds of documentation. These policies also frequently cover when documents may be destroyed in the normal course of business. (Assuming, of course, that no litigation is pending and that there is no other reason why the company would be legally obligated to keep these documents.) It’s almost a business necessity these days given the cost of document storage.
It is also a fairly safe bet that by now, most people have heard about the potential risks associated with data breaches, or at the very least, have heard about the Target data breach during the holiday season in 2013.
However, did you know that many states regulate how personal information can be destroyed? Or, more specifically, how documents and records that contain such personal information may be discarded? To date, at least thirty-one states have enacted laws like this (the link attached omits the Delaware law that was just enacted).