By Chris Bellini and Hill Wellford

Two recent developments in the field of Internet privacy law – one a federal appeals court case, the other a California statute – could have significant impacts on a company's online privacy practices, including its Internet site and the content of its "Privacy Policies" or "Privacy Statements."  These developments concern whether a breach of a privacy promise is violation of federal law (including potentially a criminal violation), and whether (and how) businesses must notify their customers if a breach of privacy or security occurs.

The In Re Pharmatrak Case – "Wiretapping" Under a Privacy Policy?

The federal case is In Re Pharmatrak, Inc. Privacy Litigation, a May 2003 decision issued by the Court of Appeals for the First Judicial Circuit (the "First Circuit").  A group of pharmaceutical companies used Pharmatrak, a web-monitoring company, to monitor user traffic on their websites.  The companies' contracts prohibited Pharmatrak from collecting personal information.  When Pharmatrak allegedly did collect personal information, civil plaintiffs brought suit and claimed that Pharmatrak breached its contracts with the pharmaceutical companies, thereby causing the companies to breach their written privacy promises to users.

The plaintiffs alleged a violation of the federal Electronic Communications Privacy Act (ECPA), which prohibits unauthorized access to computer systems.  The trial court dismissed the case but the First Circuit reversed and remanded for trial.  The First Circuit ruled that, if plaintiffs succeeded in proving their facts, Pharmatrak could be found to have "intercepted" users' personal information in violation of ECPA.  By its ruling, the First Circuit became one of the few courts to apply ECPA to a situation other than classic "wiretapping" or "computer hacking" conduct.

The In Re Pharmatrak decision raises an important question:  can an ordinary business be liable for a violation of ECPA wiretapping law – which carries substantial criminal penalties – merely for violating an online privacy statement to users?  The decision leaves that question open. 

A criminal ECPA violation requires "intentional" interception of communications, and requires that neither the sender nor the recipient has "consented" to the interception.  Most accidental breaches of privacy statements, therefore, would not rise to the level of an ECPA violation.  Nevertheless, businesses should take precautions when managing customer information that is transmitted electronically, and third-party service providers (like Pharmatrak) should be extremely careful.  Such service providers should ensure that at least one party to a communication has given "consent" for the service provider's "interception."

California Civil Code § 1798.82 – New Duties to Disclose A "Security Breach"

California has revised its business laws to require notification of customers if a "security breach" leads to the disclosure of customers' personal data.  The new law is codified as an amendment to California Civil Code § 1798.82 and takes effect on July 1, 2003.  It applies to any person or business that conducts business in California if the entity possesses "computerized ... personal information."  If a "breach of the security system" occurs, defined as any unauthorized acquisition of personal data, the business must inform affected persons "immediately" unless law enforcement requests a delay.  Consumers have a private right of action under the law for injunctive and civil damages relief, but no specific monetary penalties are suggested.

While the California law sets forth several types of notice that will be considered adequate, including written notice, these may be burdensome.  Fortunately, the law also provides that notice will be deemed compliant if it is made in a manner specified in a company's existing "information security policy."  Businesses, therefore, may wish to specify notification methods in their user agreements or privacy statements.  Few businesses currently do so.

Summary

Taken together, the In Re Pharmatrak case and the California law reinforce the importance of the content of privacy statements and ensuring adoption of privacy practices that facilitate compliance with applicable law.  Online businesses should periodically review their privacy statements, particularly as their uses of customer data change over time.  To take advantage of California Civil Code § 1798.82, business should consider adding a clause explaining how legal notices will be disseminated to users if required.  The clause need not include the words "security breach" but should be clear and conspicuous.  If the business is already subject to federal laws requiring specific security notices, such as the Gramm-Leach-Bliley Act (financial data) or the HIPAA Privacy Rule (medical records), the California notice can accompany one of those items. 

This article has been prepared for general informational purposes only and is not intended as legal advice.

Copyright © 2003 Gibson, Dunn & Crutcher LLP

-