Federal Rule of Evidence 502: Protecting Against the Inadvertent Waiver of the Attorney-Client Privilege

By Kelly Prior, Esq.

President Bush recently signed a bill creating new Federal Rule of Evidence 502, which addresses the disclosure of communications and information protected by either the attorney-client privilege or the work-product doctrine. The purpose of FRE 502 is two-fold: 1) to resolve the conflicts which have arisen between courts in the area of inadvertent disclosure and subject matter waiver; and 2) to bring some measure of control over spiraling discovery costs that are due in part to the concern that any disclosure, however small or unintentional, will result in the subject matter waiver of all protected communications and information. The Rule provides several protections, as follows:

Subsection (a) applies to disclosures which are made in a federal proceeding or to a federal office or agency. When a disclosure is made in that context and the privilege or protection is waived, the waiver will only apply to undisclosed communications or information when the waiver is intentional, the same subject matter is involved and “fairness” dictates that the disclosed and undisclosed communications or information be considered together. Thus, subject matter waiver is reserved for those cases where a party intentionally produces protected information in a selective, misleading and unfair manner.

Subsection (b) applies to inadvertent disclosures which are made in a federal proceeding or to a federal office or agency. In such cases, the inadvertent disclosure does not constitute a waiver if the holder of the privilege or protection took “reasonable steps” to both prevent the disclosure and to rectify the error.

Subsection (c) addresses the difficulties which often arise when the disclosure of protected communication or information is made in a state proceeding, the communication or information then becomes part of a federal proceeding on the grounds that the disclosure constituted a waiver, and there is a conflict between the state and federal laws as to whether a waiver occurred. Rule 502(c) instructs the federal court to apply the most protective law as between the two.

Subsection (d) provides that the terms of confidentiality orders (pertaining to the disclosure of privileged or protected communication or information) entered into in federal proceedings are enforceable against non-parties in any state or federal proceeding.

Subsection (e) makes it clear that while the parties in a federal proceeding may enter into a binding agreement to limit the effect of waiver by disclosure between themselves, such an agreement is not binding on non-parties. The agreement must be made part of a court order in order for it to bind non-parties.

It will be interesting to see over the next few years how effective the new rule is in preserving attorney-client privilege and work product protections and in reducing discovery costs.

Read More...

Google Updates IP Address Log Retention Policy

By Dino Tsibouris & Mehmet Munur

On September 8, 2008, Google announced that it will reduce the amount of time it retains distinct IP addresses from 18 months to 9 months due to pressure from European regulators. This is not the first time, and likely not the last time, Google will have to amend its IP log retention period in order to comply with the European regulators’ strict policies.

In June of 2007, Google had to reduce the amount of time it retained distinct IP addresses from 24 months to 18 months, due to pressure from the EU Article 29 Data Protection Working Party. After 18 months of obtaining the IP addresses, Google anonymized its IP logs by replacing the last byte of the IP address with hashes (for example 216.54.106.###). Then, Google “firmly reject[ed] any suggestions that [it] could meet [its] legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months.”

This recent change in IP log retention policy is certainly in part due to the Working Party’s Opinion on Data Protection Issues Related to Search Engines released in March 2008. The Working Party suggested that the “retention of personal data and the corresponding retention period must always be justified (with concrete and relevant arguments) and reduced to a minimum, to improve transparency to ensure fair processing, and to guarantee proportionality with the purpose that justifies such retention.” More importantly, if “search engine providers retain personal data longer than 6 months, they will have to demonstrate comprehensively that it is strictly necessary for the service.” The Working party then concluded that “[i]n view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months.” It appears that Google’s rejection was not firm enough.

Before issuing this opinion, the Working Party sent questionnaires to many search engines. Undoubtedly, Google was one of the search engines that received a questionnaire. Google must have predicted that the Working Party would issue an opinion on IP addresses and cookie use as a result of this questionnaire. Google probably provided all the justifications that it could, but the Working Party was not satisfied. Considering that the Working Party concluded that logs should be retained for 6 months—not 9—Google either has a better justification, or another revision to its privacy policy awaits Google in the near future.

Google may also have problems with the methods it uses to anonymize the logs. The Working Party opinion also commented on Google’s anonymization methods and suggested that they may not be satisfactory under all circumstances. “Currently, some search engine providers truncate IPv4 addresses by removing the final [byte], thus in effect retaining information about the user's ISP or subnet, but not directly identifying the individual. The activity could then originate from any of 254 IP addresses. This may not always be enough to guarantee anonymisation.”

Furthermore, Google has not finalized the methods it is going to use to anonymize IP addresses. In its recent announcement, Google stated that it had not “sorted out all of the implementation details, and [it] may not be able to use precisely the same methods for anonymizing as [it] d[id] after 18 months . . . .” In other words, the anonymization used after 18 months and anonymization used after 9 months are different methods of anonymization. Considering that the Working Party is not satisfied with the first method under all circumstances, arguably, the Working Party may not be satisfied with the new method, either.

One reason for this continuous disagreement over Google’s privacy policy may be about how Google and the European regulators think about privacy. IP address logs are an invaluable source of competitive information for Google; therefore, it would like to retain them unless they are shown to be personal data. In other words, presume the data to be non-personal unless proven otherwise. To support this view, Peter Fleischer, Google’s Global Privacy Counsel, argued in NY Times Bits and in his own blog that he did not think that IP addresses were private data under all circumstances. Both Mr. Fleischer and a Google engineer stressed that IP addresses did not always return to a unique individual but could shared among many users.

The Working Party disagreed. The Working Party opinion stated that “increasing number of ISPs distribute fixed IP addresses to individual users.” Then, the Working Party turned the presumption on its head by stating that “unless the [Search Engine] is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.” In sum, Google would like a sliding scale approach to IP addresses privacy while the Working Party sees all IP addresses as personal data. This stark difference in approach to privacy is likely to result in more revisions for Google’s IP address logs.

Certainly, Google appears to be taking a serious approach to privacy by creating Google Privacy Channel on YouTube, and drafting a reader friendly Terms of Use. Despite all its efforts, Google’s actions are likely to stay on the spotlight for some time to come. One cannot expect Google to give up so easily on IP address logs that allow Google to provide better services and get the upper hand on its competitors.

Read More...

Best Lawyers in America - 2009

Dino Tsibouris of Tsibouris & Associates, LLC was recently selected to be included in the 2009 edition of The Best Lawyers in America in the specialty of Information Technology Law. The Best Lawyers in America is a publication of the most respected attorneys in their fields, which has been known to be a very valuable referral list of attorneys in practice. Inclusion in Best Lawyers is determined by more than 1.8 million evaluations and votes cast by the top attorneys in the country. To read more about the selection process, click here.

Read More...

Recent 9th Circuit Ruling Highlights the Importance of Employee Policies Regarding Electronic Communications

By Dino Tsibouris & Mehmet Munur

The 9th Circuit Court recently ruled that the unauthorized search of employee text messages on an employer provided text messaging pager may have violated the employee’s privacy rights despite a written policy stating that the employees should have no expectation of privacy. The case demonstrates the need to revise some of the nation’s privacy laws as well as the attention employers need the pay to the drafting and enforcement of their privacy policies.

The case arose from Ontario Police Department’s review of text messages by a member of its SWAT team, Jeff Quon. The Police Department provided its employees with two-way text messaging pagers in order to make it more efficient for dispatchers. In October 2001, the city contracted Arch Wireless to provide the service and each pager was allotted 25,000 characters per month. When Quon and others went over the allotted character limit, they paid for their overage charges. An understanding formed between the employees and their supervisors that the employees would have to pay the charges unless they wanted their text messages audited to determine whether the use was personal or business related.

Then in August 2002, Lieutenant Duke got tired of collecting bills and decided that the text messages should be audited to determine whether they were being used for business or personal use. To this end, city officials requested the transcripts from Arch Wireless who sent the transcripts to the City after determining from its records that the pagers actually belonged to the City. A review of the transcripts by the city officials showed that some of the text messages were personal. This resulted in an internal investigation to determine whether the pagers were being used during work hours for personal use.

As a result of this investigation, Sergeant Quon and four other officers filed a complaint against the Chief of Police, the City of Ontario, and Arch Wireless under the Stored Communication Act (“SCA”) and the Fourth Amendment, among others. The district court dismissed the claims against Arch Wireless under the SCA but decided that the Fourth Amendment claims should go to a jury. The district court ruled against the plaintiffs on the SCA claim concluding that Arch Wireless was a Remote Computing Service (“RCS”) under the SCA instead of an Electronic Communication Service (“ECS”). Arch Wireless, as an RCS, could release transcripts of the text messages without the consent of the subscriber. Under the facts of this case, the City was the subscriber and had consented to the release of the transcripts. Therefore, Arch Wireless could not be liable. The 9th Circuit disagreed. Arch Wireless was an ECS and it required the consent of the addressee or the intended recipient in order to disclose the transcripts, neither of which it had obtained. The 9th Circuit reversed the district court on the SCA claim.

Both courts had to interpret the archaic and convoluted language of the SCA that Congress passed as a part of the Electronic Communications Privacy Act of 1986 (“ECPA”). Neither text messages nor emails were in existence at the time. Both courts used legislative history and congressional reports yet came to different results. This is yet another case in a long line of cases that suggests that the legislation on electronic communication needs to be rewritten because unforeseeable results make compliance difficult for corporations.

The case also demonstrates the importance of the reasonable expectation of privacy in electronic communications. Both the 9th Circuit and the district court declined to award summary judgment to the City on the issue of the Fourth Amendment violations. Both courts agreed that a jury might find that Quon had a reasonable expectation of privacy in the text messages he sent from the pager. Both courts noted several factors that would make Quon’s expectation of privacy unreasonable. First, the Ontario Police Department’s Computer Usage Policy, which Quon signed, required equipment to be used for business purposes. Second, Quon attended a meeting where he was specifically told that the policies applied to the pagers. Third, the pager was owned by the Police Department. If that were all, the 9th Circuit noted, the outcome would be very similar to other cases where the employee was specifically cautioned against any privacy. However, several other factors made his expectation of privacy reasonable. First, the officers in charge of collecting the bills had made it clear to the plaintiffs that the text messages would not be audited so long as they agreed to pay for the overages. Second, the City in fact did not audit the messages when the employees paid their overages. Further, the 9th Circuit ruled that the expectation could be reasonable despite the fact that the oral declaration was made by someone not in charge of policymaking. Both courts declined to award the City summary judgment on the reasonableness of Quon’s privacy expectation.

In essence, any employer who has a written policy against any expectation of privacy in computer, email, or telephone use may contradict their behavior and create a reasonable expectation of privacy in employee communications simply by not uniformly enforcing their policies or by acting counter to their policies. If the employees have not consented, and none of the other exceptions in the ECPA apply, then an employer may be liable to the employee for invasion of his privacy.

In comparison, courts usually allow a greater expectation of privacy for personal email accounts on websites—such as Yahoo, Google, or Hotmail accounts—accessed through employer-owned equipment compared to business email accounts owned and operated by the employer. However, even such personal email accounts may be subject to monitoring if the employer properly informs the employee. In NERA v. Evans, the employer, NERA, searched Evans’ company-owned laptop’s hard-drive after he left employment and found images of Evans’ personal emails. Evans had deleted his personal files and defragmented his hard-drive mistakenly believing that it would remove any traces of his personal files. While the court noted that such emails could not be retrieved by an average computer user simply by browsing the computer’s hard-drive, it could be retrieved by a specialist. The court ruled against the employer despite NERA’s written policies stating that a log of network activity would be kept and that network administrators could read emails. The court required the employer to be more specific. The policy did not state that contents of personal email accounts would be monitored or that NERA could retrieve them from the hard-drive. Therefore, the court concluded that Evans’ expectation of privacy was reasonable under the circumstances.

Another case currently in litigation merges the issues in Evans and Quon and illustrates the importance of properly drafting and enforcing privacy policies. In Sidell v. Structured Settlement Investments, the plaintiff alleged that his employer continued reading his personal Yahoo email after he was fired because Sidell had left the email account logged-on. Sidell made allegations under the ECPA similar to the ones between Quon and Arch Wireless. Sidell further alleged that the employer used the email account to monitor Sidell’s communications with his attorney. The employer defends that they suspected Sidell of emailing trade secrets to his personal email account. Depending on how explicit Structured Settlement Investments’ policies were and whether Sidell was in fact emailing himself trade secrets, the employer could be liable under the ECPA. Regardless of how the case turns out it is likely to demonstrate at least one very important point: employers must caution their managers from snooping on their employees’ emails without consulting in-house counsel.

These electronic communication cases will certainly influence how employers and corporations involved in electronic communications act in the future. Surely, Arch Wireless will work to improve its handling of text message transcript requests where the subscriber is different than the addressee or the intended recipient. Moreover, employers may have to both revise their policies so that they describe their intended actions more accurately and enforce these policies uniformly to assure that they hold up in court.

The cases are Quon v. Arch Wireless Operating Co., 445 F. Supp. 2d 1116 (2006); Quon v. Arch Wireless Operating Co., 529 F.3d 892 (2008); and National Economic Research Associates, Inc. v. Evans, No. 04-2618-BLS2 (Sup. Ct. Mass. Aug. 3, (2006).

Read More...

Google Health Launches

By Dino Tsibouris & Mehmet Munur

Having concluded its testing at the Cleveland Clinic, Google Health launched amid privacy concerns last week. Commentators are concerned that Google is not currently regulated under the Department of Health and Human Services (“DHHS”) and Google’s claim that it is regulated by the Federal Trade Commission does not appear to appease them. Nevertheless, Google Health appears to have a solid approach to both storing health care data online and finding information about health issues with Google Health.

Google Health ships with terms of service, a privacy policy, a health sharing authorization, and a legal notice. The terms of service caution the user that Google Health does not offer medical advice, that the user is responsible for the security of the password, and that Google will treat the information provided by the user in accordance with its privacy policy— along with the usual limitation of liability and exclusion of warranties languages. The privacy policy states that Google will not sell, rent, or share the information without the explicit consent of the user, explains what information Google retains, and clarifies how a user may share health data with a licensed third party health care provider. The health sharing authorization allows Google to pass along sensitive health care information to third parties that the user authorizes. Finally, the legal notice provides limitation of liability for Google’s partners that provide drug related information.

Commentators have at least two privacy concerns with Google Health. First, anyone with a Google username may instantly and easily sign onto Google Health. While Google requires that passwords be at least 8 characters long, it does not require that the passwords contain numbers, upper and lower case characters, and special characters—which would help create strong passwords. Considering that only a minority of users will create strong passwords when not required to do so, access to a user’s health information on Google health is only as good as the password the user creates—assuming that Google’s systems are secure. However, both Microsoft and Google suffer from this same problem.

Second, Google (rightly) claims that it is not bound by Health Insurance Portability and Accountability Act (“HIPAA”). The regulations under 45 CFR part 160.102 state that the Act applies to a) health plans, b) health care providers who transmit any health information in electronic form in connection with a covered transaction, or c) health care clearinghouses. A health plan is an individual or group that provides or pays the cost of medical care. Medical care includes diagnoses, cures, treatments, and transportation related to medical care, but not storage or transfer of information. A health care provider is a provider of medical or health services and any other person or organization that is paid for health care in the normal course of business. While medical services are defined ad nauseum in the regulations, none of those services relate to storage of healthcare information as a service.

A health care clearinghouse is an entity that processes or facilitates the processing of health care information from a nonstandard format (or data) to a standard format (or data), or vice versa. In promulgating the final rules on HIPAA, the DHHS stated that the definition was not meant to apply to telecommunication companies such as internet service providers or telephone companies, so long as they did not process the data in the fashion required. Therefore, processing of information coming from one entity and going to another entity appears to be at the heart of the regulations. Google does not process the data. It only makes it available to both the patient and the health care professional—presumably in the format it is provided. On the other hand, any manipulation of this data from standard to nonstandard format would trigger the regulations under HIPAA. In sum, Google Health currently resides in that gray area between explicitly exempt entities and nonexempt entities.

Nevertheless, Google’s interpretation of the current regulations is in line with DHHS’ Office for Civil Rights (“OCR”), which is in charge of the civil enforcement of the Privacy Rule under HIPAA. Susan McAndrew, senior advisor for the OCR, has stated in unofficial discussions that Google Health and Microsoft HealthVault are exempt from HIPAA rules, but that the Confidentiality, Privacy, and Security Workgroup of the American Health Information Community is in the process of making recommendations to regulate them under HIPAA. In regulating electronic health information exchange networks such as Google and Microsoft, the Workgroup has already identified six factors ranging from prevention of unauthorized access of the health care data to the purposes for which the health care data can be used. However, it will probably be years before such regulations take effect.

Yet, Google does not claim that it is exempt from regulation for its privacy policies. On the contrary, Google agrees that it is subject to section 5 of the Federal Trade Commission (“FTC”) Act. While the OCR responds to thousands of complaints every year, the FTC’s settlements are more public and its punishments are probably more severe. So far this year, the FTC settled with 5 companies for breach of privacy policies, including retailer TJ Maxx, publisher Reed Elsevier, and online advertiser ValueClick. Almost all FTC settlements include biennial security audits by independent third parties for 10 or 20 years following the settlement. Some include civil penalties. In 2006, the FTC settled with ChoicePoint for $10 million in civil penalties and $5 million in consumer redress. Such settlements tend to affect a company’s stock prices in the short run and hurt their brand images. Google is certainly aware of the consequences of a security breach at Google Health.

Google has a healthy competitor to Microsoft’s HealthVault in Google Health. However, both business models appear to be ahead of the legal regulations in this area of health privacy. Moving health records online will certainly benefit patients, healthcare providers, and companies such as Google and Microsoft—so long as all the parties involved understand and fulfill their responsibilities.

Read More...

Ohio Supreme Court Prepares to Adopt Electronic Discovery Rules

By Dino Tsibouris & Mehmet Munur

The Ohio Supreme Court is finalizing Proposed Amendments to the Rules of Civil Procedure that include amendments related to electronic discovery. The comment period for the proposed amendments ended on March 4, 2008. The commission responsible for the rules had until May 1st to review and make changes to the proposed amendments. They have not. Therefore, the proposed amendments should take effect on July 1, 2008—unless the General Assembly adopts a concurrent resolution of disapproval. Though the Ohio Rules are very similar to the Federal Rules, the Ohio Rules differ to accommodate the differences in practical application.

Under proposed Ohio Rule 26, a judge may schedule a pretrial conference related to electronically stored information, while such a pretrial conference is required under the Federal Rules. Also, proposed Rule 26 clarifies the scope of discovery to include electronically stored information and limits it to cases where the information is reasonably accessible and its production not unduly burdensome or expensive. Proposed Rule 37 provides factors that are not provided in the Federal Rules that a judge should consider in determining sanctions as a result of routine, good faith operation of an electronic information system. Some of these factors are 1) whether and when the obligation to preserve the information is triggered, 2) whether the party intervened in a timely fashion to prevent the loss of information, and 3) whether the party took steps to comply with any court pr party agreement requiring the preservation of specific information.

You may find the proposed amendments here.

Read More...

Senate Votes to Expand Student Loan Access

By Dino Tsibouris

We represent a number of student lenders with respect to their online lending operations. In the past several months we have observed a number of unique events in the marketplace, ranging from the reduction of interest rates in federally-insured student loans that have made the business financially unattractive to banks, to disruptions in the bond markets that have impaired the ability of lenders to obtain funds to make student loans. Many lenders have suspended student lending activity temporarily, stopped making certain types of student loans, or completely left the business and focused on other opportunities.

Students are now faced with increasing tuition costs at the same time that their access to student loans has substantially declined. To address these concerns, the senate yesterday approved The Ensuring Continued Access to Student Loans Act of 2008 (similar to a bill that recently passed the house) to increase the amounts borrowers may obtain in federally-insured student loans. Both the senate and house bills would also allow the Department of Education to buy existing student loans from lenders to free up their capital and allow the lenders to make new loans. President Bush is expected to sign the new legislation. It is important to note that the proposed legislation aims to increase borrowers access to FFELP loans, but does not affect private student loans that are not guaranteed by the government.

Interestingly, Federal Reserve Chairman Bernanke was quoted in the Wall Street Journal today as having sent a letter to senators inviting them to revisit their earlier decision to cut interest rates on federally-insured loans to entice lenders to return to the marketplace. Time will tell.

Read More...

In Case You Missed It: Judge Dismisses Cheating Husband’s Breach of Privacy Policy Case

By Dino Tsibouris & Mehmet Munur

A federal judge in Texas recently dismissed a case (due to improper venue) in which the plaintiff alleged that the website’s breach of its privacy policy led to his wife finding out about his infidelity, which ultimately led to his divorce.

Plaintiff Leroy Greer called 1-800-FLOWERS (Company) and ordered flowers for his girlfriend. He was directed to 1-800-flowers.com when he inquired about the Company’s privacy policy. After the purchase, the Company sent a “thank you” note to his home, which prompted his wife to contact the Company for proof of purchase, a copy of the note attached to the flowers, and information about the husband’s girlfriend. Greer filed suit for $1.5 million arguing that the Company’s actions breached the privacy policy and caused him damages in connection with the divorce that followed.

In its defense, the Company argued that the forum selection clause of the website terms of use specifically assigned Nassau or Suffolk counties of New York exclusive jurisdiction. In response, Greer argued that because the transaction had taken place over the telephone, the forum selection clause was not applicable. In essence, Greer argued that his use of the website to view the privacy policy did not amount to full-fledged use to trigger the terms of use but that the phone transaction governed.

The court disagreed for two reasons. First, the privacy policy was a part of the terms of use which stated that accessing any part of the website legally bound the user to its terms. In other words, Greer was cherry-picking the parts of his agreement with the Company—wanting to enforce the privacy policy but not the terms of use. Second, the court ruled that Greer did not successfully show that the terms of use only applied to web transactions.

The court then summarily found that that the forum selection clause did not violate the Supreme Court’s four-factor forum selection test. After all, whether the Plaintiff actually read the terms of use was beside the point considering that the privacy policy contained a link to it, specifically mentioned it, and notified the user of its existence. Greer was going to have sue the Company in New York.

While Greer’s lawyer suggested that they would be filing the case in New York in the next couple of weeks, research has not revealed whether he actually has. For details related to Greer’s note to his girlfriend and his wife’s discovery, visit here. Visit here for the MSNBC story.
The case is Greer v. 1-800-Flowers.com, Inc., No. H-07-2543, 2007 U.S. Dist. LEXIS 73961 (S.D. Tex. Oct. 3, 2007).

Read More...

Google Health Starts Pilot at the Cleveland Clinic

By Dino Tsibouris & Mehmet Munur

On February 21, 2008, Google announced a partnership with the Cleveland Clinic to test its online personal health records management platform called Google Health. While Google is late to bring its platform to the party, its offering appears to go beyond Microsoft’s HealthVault offering. The goal of the project is “to give the patients the ability to interact with multiple physicians, healthcare service providers and pharmacies.” The pilot project will test the secure exchange of patient medical records.

Google claims that its offering is different than other online personal health records in four ways. First, Google developed its privacy policies using Google Health Advisory Council, made up of leaders in the healthcare industry—from CEOs of the Cleveland Clinic and the American Medical Association to the Executive Vice President of Risk Management at Wal-Mart. Second, Google Health is a platform and not just a website. This allows third party application developers to create programs for use on its application programming interface or API. For example, such third party applications may include reminders to take prescription medicine on personalized Google homepages. Third, storage of medical data on Google’s servers allows for portability. Lastly, Google Health will have a user focus through which users can easily manage their healthcare information or find health information about their health conditions. The service will allow users to find relevant and dynamically generated news, web search results, research articles, and discussion groups.

The Cleveland Clinic pilot project is supposed to last six to eight weeks and the platform is to become public some time after that. For this reason, no terms of use are available from Google to judge its commitment to privacy. Yet, Google appears to have changed its privacy policies in a positive way. First, Google changed its 30 year expiration period for its cookies to two years—but included automatic renewal.

Second, Google was the first major search engine to anonymize its server logs after 18 months instead of an 18 to 24 month period. Google deletes the last few digits of the IP address as well as some portion of the cookie information to anonymize the information contained these logs. According to Peter Fleischer, Google’s Global Privacy Counsel, Microsoft and Yahoo later followed this practice with 18 and 13 month retention plans, respectively. However, Google continues to retain these logs for as long as necessary. Third, Google has started offering videos through its YouTube Google Privacy Channel to explain its privacy policies without legalese and geek-speak.

All of these changes at Google appear to point towards Google’s corporate responsibility for privacy within its business framework of “creating[ing] [a] minimum global standard, built around international consensus, that is flexible, technologically neutral, and forward looking.” Obviously, creating such a framework would be beneficial for Google’s business as it would make compliance much easier. Yet, cultural and legal differences are likely to make this goal hard to achieve.

On the other hand, Google must have a business purpose for entering the health records management field. After Google CEO Eric Schmidt’s keynote speech at the HIMSS, a doctor asked what was in it for Google. He answered that there was not a “monetization path” for Google Health in the short term. However, he suggested that Google was able to create brand following through other services even though those ancillary services were not supported by advertisements—such as Google News. It appears that Google would like to inspire confidence in its service first and then create revenue through contextual advertisements if users explicitly consent. It is at this juncture that privacy advocates would have the most difficulty with Google Health.

Eric Schmidt suggested that this service Google Health Starts Pilot Project at the Cleveland Clinic

On February 21, 2008, Google announced a partnership with the Cleveland Clinic to test its online personal health records management platform called Google Health. While Google is late to bring its platform to the party, its offering appears to go beyond Microsoft’s HealthVault offering. The goal of the project is “to give the patients the ability to interact with multiple physicians, healthcare service providers and pharmacies.” The pilot project will test the secure exchange of patient medical records.

Google claims that its offering is different than other online personal health records in four ways. First, Google developed its privacy policies using Google Health Advisory Council, made up of leaders in the healthcare industry—from CEOs of the Cleveland Clinic and the American Medical Association to the Executive Vice President of Risk Management at Wal-Mart. Second, Google Health is a platform and not just a website. This allows third party application developers to create programs for use on its application programming interface or API. For example, such third party applications may include reminders to take prescription medicine on personalized Google homepages. Third, storage of medical data on Google’s servers allows for portability. Lastly, Google Health will have a user focus through which users can easily manage their healthcare information or find health information about their health conditions. The service will allow users to find relevant and dynamically generated news, web search results, research articles, and discussion groups.

The Cleveland Clinic pilot project is supposed to last six to eight weeks and the platform is to become public some time after that. For this reason, no terms of use are available from Google to judge its commitment to privacy. Yet, Google appears to have changed its privacy policies in a positive way. First, Google changed its 30 year expiration period for its cookies to two years—but included automatic renewal.

Second, Google was the first major search engine to anonymize its server logs after 18 months instead of an 18 to 24 month period. Google deletes the last few digits of the IP address as well as some portion of the cookie information to anonymize the information contained these logs. According to Peter Fleischer, Google’s Global Privacy Counsel, Microsoft and Yahoo later followed this practice with 18 and 13 month retention plans, respectively. However, Google continues to retain these logs for as long as necessary. Third, Google has started offering videos through its YouTube Google Privacy Channel to explain its privacy policies without legalese and geek-speak.

All of these changes at Google appear to point towards Google’s corporate responsibility for privacy within its business framework of “creating[ing] [a] minimum global standard, built around international consensus, that is flexible, technologically neutral, and forward looking.” Obviously, creating such a framework would be beneficial for Google’s business as it would make compliance much easier. Yet, cultural and legal differences are likely to make this goal hard to achieve.

On the other hand, Google must have a business purpose for entering the health records management field. After Google CEO Eric Schmidt’s keynote speech at the HIMSS, a doctor asked what was in it for Google. He answered that there was not a “monetization path” for Google Health in the short term. However, he suggested that Google was able to create brand following through other services even though those ancillary services were not supported by advertisements—such as Google News. It appears that Google would like to inspire confidence in its service first and then create revenue through contextual advertisements if users explicitly consent. It is at this juncture that privacy advocates would have the most difficulty with Google Health.

Eric Schmidt suggested that this service was unlikely to take off or reach market saturation in a short time but that in the long run it makes sense because such a large part of online searches involve health topics. Google Health and Microsoft HealthVault appear to be steps in the right direction; however, it remains to be seen how these services will affect individual privacy and how corporations and legislators will respond to those concerns.

You can find a blog post and screens from Google Health at the Official Google Blog here. You can find Eric Schmidt’s keynote speech at the Healthcare Information and Management Systems Society Annual Conference in Orlando on February 28, 2008 here.was unlikely to take off or reach market saturation in a short time but that in the long run it makes sense because such a large part of online searches involve health topics. Google Health and Microsoft HealthVault appear to be steps in the right direction; however, it remains to be seen how these services will affect individual privacy and how corporations and legislators will respond to those concerns.

You can find a blog post and screens from Google Health at the Official Google Blog here. You can find Eric Schmidt’s keynote speech at the Healthcare Information and Management Systems Society Annual Conference in Orlando on February 28, 2008 here.

Read More...

Supermarket Chain Falls Victim to Security Breach

By Dino Tsibouris & Mehmet Munur

On Monday March 17, 2008, Hannaford, an East Coast supermarket chain, announced that it fell victim to a security breach. The security breach has so far resulted in 1,800 actual cases of fraud.

Hannaford announced that the breach affected 4.2 million unique account numbers during the card authorization process. Hannaford first noticed the breach on February 27 and contained it on March 10. Hannaford, VISA, MasterCard, and the U.S. Secret Service have not released much information regarding the security breach due to the ongoing nature of the investigation. However, no personal data such as names, addresses, or telephone numbers were revealed during the breach.

It is possible that hackers breached Hannaford’s security similar to how hackers breached TJ Maxx’s security in 2006. TJ Maxx employed an outdated and easy to break encryption scheme called WEP to secure its wireless networks. Hackers breached a TJ Maxx store’s wireless network near St. Paul, MN using a laptop and a directional antenna. They then used this data to compromise TJ Maxx’s central customer database at its Framingham, MA headquarters. The hackers obtained many millions of credit card numbers and some personally identifying information such as driver’s license numbers and social security numbers.

Hannaford’s security breach pales in comparison to the security breach at TJ Maxx, which may have affected 100 million customers. TJ Maxx has settled with VISA and the card issuing banks over its security breach for $82 million. TJ Maxx has set aside a reserve fund of $107 million for payments and legal expenses. Though the FTC has been investigating TJ Maxx, it has not yet announced a settlement. FTC may levy fines against TJ Maxx since that breach was the largest security breach to date.

While the FTC has only settled 17 cases to date relating to data security practices by companies handling personal information, it has settled 2 so far in 2008. It appears that FTC will settle more cases related to security breaches this year.

Read More...

Settlement of Lawsuit over Email Upheld

By: Dino Tsibouris & Mehmet Munur

A Massachusetts court of appeals recently held that Amazon was bound to a settlement that was conducted over email to dismiss a case against it and noted that the email exchange created “a present agreement awaiting a later document.”

The litigation that led to the email settlement arose from Amazon’s investment in Basis Technology, a software company focusing on “extracting meaningful intelligence from multilingual text.” In September 1999, Amazon entered a technical services agreement with Basis to help Amazon create an electronic commerce system in Japan. In December 1999, Amazon purchased 1.6 million shares of preferred stock in Basis with a common stock conversion provision with a ratio of one-to-one and anti-dilution rights. In April 2001, Amazon agreed to a recapitalization that increased its conversion rights to two-to-one (one share of preferred stock to two shares of common stock). In March 2004, the Basis Board of Directors distributed a memorandum acknowledging the issuance of almost half a million shares of preferred stock to In-Q-Tel, the venture capital arm of the Central Intelligence Agency. Amazon received notice of this issuance but did not consent.

In the meantime, in May 2003, Basis had commenced a lawsuit against Amazon for breach of fiduciary duty. In March 2005, counsel for Basis and Amazon reached a preliminary settlement through email. Basis counsel sent an email memorializing the discussions of that evening with 6 provisions that showed general agreement on the main points but omitting most of the details that would be drafted later. One of the provisions required Amazon to convert its preferred stock to common stock under the 1999 share purchase agreement. Basis counsel also asked to be contacted the next morning, before the two parties reported the settlement to the judge, in the event the Amazon counsel disagreed. The next morning, counsel for Amazon replied to the email with one word, “correct.” The trial judge ended the trial and entered an order for a settlement between the parties, pending the detailed provisions.

Several days later, Amazon and Basis reached a deadlock over the conversion ratio. Basis argued that the conversion rate should be two-to-one. Amazon argued that the anti-dilution provisions should result in a ratio of more than 2.1-to-one due to the issuance of shares of preferred stock to In-Q-Tel. Amazon concluded that this difference would result in a loss of quarter of a million dollars and reduction in ownership stake from 10% to 8.5%. When the parties could not resolve this dispute, after extensive hearings and examinations, the court entered a judgment enforcing the settlement agreement the parties had reached during their email exchange in March 2005.

On appeal, Amazon argued that the emails did not create an unambiguous agreement between the parties and that Amazon did not intend to be bound. After reviewing the emails, the appeals court ruled that the parties had reached a settlement on the essential business terms when Amazon counsel “concisely responded, ‘correct.’” The court, citing a 1987 decision, stated that “the parties have agreed upon all material terms, [therefore] it maybe inferred that the purpose of a final document which the parties agree to execute is to serve as a polished memorandum of an already binding contract.” Therefore, solely agreeing to the essential terms of a contract over email does not change the principles of contract formation.

The decision of both the trial court and the appeals court is not surprising for two reasons. First, Amazon executives appear to have wanted to get out of an unfavorable settlement by Amazon counsel after it was already made. Second, an email that manifests the intention to be bound by a sufficiently definite agreement should be treated no different than a similar writing in a different medium.

This case compares well with CSX Transp., Inc. v. Recovery Express, Inc., 415 F. Supp. 2d 6 (D. Mass. 2006). There, CSX received an email from a person expressing interest in purchasing railcars as scrap. Relying only on the domain name on the email address, and without checking to make sure that the person worked for that corporation, CSX sold the railcars to the email sender. When the check written by the purchaser bounced, CSX sued the company holding the domain name of the email address—Recovery Express. The court concluded that the use of the email address by the railcar purchaser did not create apparent authority to act as Recovery Express’ agent. Though the CSX employee conducting business over email was not an attorney, it appears that he fell in the same trap that Amazon counsel did when he conducted a settlement over email.

The case is Basis Tech. Corp. v. Amazon.com Inc., No. 06-1048 (Mass. App.Ct., Jan. 7, 2008).

Read More...

Tsibouris Law Blog Featured in Columbus Business First

Tsibouris & Associates Law Blog was recently featured in Columbus Business First article on Columbus law firm blogs. The article discusses the burgeoning law firm blog scene in Columbus, Ohio. To read more, please click here.

Read More...