You have no items in your shopping cart.
Search
Filters

Privacy Compliance and Litigation in California

Understand best practices in cyber security and data breach protection—and how to avoid penalties and lawsuits. Learn how to collect and protect customer data, health care data, children’s data, and employee data within California, the U.S., and worldwide. Discover practical guidance for business, finance, health care, and employers on California and federal data and security law—and the critical new European Union General Data Protection Regulation (GDPR). 

Understand best practices in cyber security and data breach protection—and how to avoid penalties and lawsuits. Learn how to collect and protect customer data, health care data, children’s data, and employee data within California, the U.S., and worldwide. Discover practical guidance for business, finance, health care, and employers on California and federal data and security law—and the critical new European Union General Data Protection Regulation (GDPR). 

  •       Collecting customer data: statutory requirements; privacy policies, security measures
  •       Implementing strict new GDPR regulations
  •       Online marketing to and collecting children’s data
  •       Sending commercial e-mail and telemarketing
  •       Complex HIPAA regulation compliance
  •       Employee privacy rights and employer obligations
  •       Avoiding identity theft
  •       Class actions for data breach: causes of action, standing, trial issues
OnLAW BU94930

Web access for one user.

 

If you are signed in and a new attorney, your adjusted cost appears below.

$ 330.00
Print BU33930

looseleaf, updated 09/18

 

If you are signed in and a new attorney, your adjusted cost appears below.

$ 330.00
Add Forms CD to Print BU23939
$ 99.00
Add OnLAW to print BU94930(40)
$ 129.00

Understand best practices in cyber security and data breach protection—and how to avoid penalties and lawsuits. Learn how to collect and protect customer data, health care data, children’s data, and employee data within California, the U.S., and worldwide. Discover practical guidance for business, finance, health care, and employers on California and federal data and security law—and the critical new European Union General Data Protection Regulation (GDPR). 

  •       Collecting customer data: statutory requirements; privacy policies, security measures
  •       Implementing strict new GDPR regulations
  •       Online marketing to and collecting children’s data
  •       Sending commercial e-mail and telemarketing
  •       Complex HIPAA regulation compliance
  •       Employee privacy rights and employer obligations
  •       Avoiding identity theft
  •       Class actions for data breach: causes of action, standing, trial issues

1

Challenges of Privacy Compliance and Litigation

Denis T. Rice

  • I.  SCOPE OF BOOK AND CHAPTER  1.1
  • II.  CHALLENGES FACING ATTORNEYS
    • A.  Patchwork of Federal and State Laws  1.2
    • B.  Developing Technology and Current Issues  1.3
    • C.  Expanding Regulation  1.4
    • D.  Emerging Theories of Liability  1.5

2

Common Law and Constitutional Privacy Protection

Roy G. Weatherup

  • I.  SCOPE OF CHAPTER  2.1
  • II.  HISTORICAL BACKGROUND
    • A.  Privacy as a Legal Concept  2.2
    • B.  Common Law Recognition of the Right to Privacy  2.3
  • III.  PRIVACY AS FEDERAL CONSTITUTIONAL RIGHT
    • A.  Development of Federal Right  2.4
    • B.  Development of Right Under Fourth Amendment: Reasonable Expectation of Privacy  2.4A
  • IV.  INVASION OF PRIVACY UNDER CALIFORNIA LAW
    • A.  Development of Invasion of Privacy as a Common Law Tort in California  2.5
    • B.  Establishment of the State Constitutional Right to Privacy  2.6
    • C.  Elements of Invasion of Privacy  2.7
  • V.  TYPES OF INVASION OF PRIVACY CLAIMS  2.8
    • A.  Intrusion Into a Person’s Solitude or Seclusion
      • 1.  Elements of Intrusion Claim  2.9
      • 2.  Examples  2.10
    • B.  Public Disclosure of Private Facts
      • 1.  Elements of Public Disclosure Claim  2.11
      • 2.  Examples  2.12
    • C.  Portraying a Person in a False Light  2.13
    • D.  Unauthorized Appropriation of a Person’s Name or Likeness for Commercial Purposes
      • 1.  Elements of Appropriation Claim  2.14
      • 2.  Examples  2.15
  • VI.  RELATIONSHIP OF INVASION OF PRIVACY TO OTHER TORTS
    • A.  Negligence  2.16
    • B.  Intentional Infliction of Emotional Distress  2.17
    • C.  Defamation  2.18
    • D.  Other Statutory Violations  2.19
  • VII.  DEFENSES TO INVASION OF PRIVACY
    • A.  First Amendment as Defense to Invasion of Privacy  2.20
    • B.  Other Possible Defenses  2.21
  • VIII.  STRATEGIES FOR BUSINESS  2.22
  • IX.  THE INVASION OF PRIVACY LAWSUIT
    • A.  Jury Instructions on Liability  2.23
    • B.  Remedies for Invasion of Privacy  2.24
    • C.  Verdict and Judgment  2.25

3

Information Security and Security Breach

Françoise Gilbert

  • I.  SCOPE OF CHAPTER  3.1
  • II.  PROTECTION OF PERSONAL INFORMATION
    • A.  Understanding the Need to Protect Personal Information  3.2
    • B.  Personal Information
      • 1.  Personal Information in General  3.3
      • 2.  Definitions  3.4
      • 3.  Proprietary Information  3.5
  • III.  SOURCES OF LEGAL OBLIGATION TO KEEP INFORMATION SECURE  3.6
    • A.  California’s Reasonable Security Procedures and Practices Law  3.7
      • 1.  What Information Is Protected Under CC §1798.81.5?  3.8
      • 2.  What Information and Businesses Are Excluded From Coverage Under CC §1798.81.5?  3.9
      • 3.  What Are Reasonable Security Procedures and Practices?  3.10
      • 4.  Contracts With Third Party Service Providers Are Required  3.11
    • B.  Prohibition of Unfair or Deceptive Business Practices  3.12
      • 1.  FTC Enforcement  3.13
      • 2.  State Unfair Competition Laws  3.14
    • C.  Information Security Laws of Other States  3.15
      • 1.  Massachusetts  3.16
      • 2.  Nevada  3.17
      • 3.  Connecticut  3.18
    • D.  Contracts   3.19
    • E.  Document Disposal Laws and Regulations  3.20
      • 1.  California Document Disposal Law  3.21
      • 2.  FACTA Disposal Rule  3.22
        • a.  Reasonable Measures to Dispose of Information  3.23
        • b.  Disposal Company Services  3.24
        • c.  Third Party Service Providers  3.25
    • F.  Industry-Specific Laws and Regulations
      • 1.  Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act)  3.26
        • a.  HIPAA Privacy Rule  3.27
        • b.  HIPAA Security Standards  3.28
          • (1)  Administrative Safeguards  3.29
          • (2)  Physical Safeguards  3.30
          • (3)  Technical Safeguards  3.31
          • (4)  Organizational Requirements  3.32
          • (5)  Policies and Procedures and Documentation Requirements  3.33
          • (6)  Business Associates  3.34
          • (7)  Guidance on Methods to Protect Health Information  3.34A
        • c.  HITECH Act Notice of Security Breach Requirements  3.35
          • (1)  Breach of Security Affecting a Covered Entity or a Business Associate
            • (a)  Definitions  3.35A
            • (b)  Notice requirements  3.35B
            • (c)  Content of the Notice and Timing  3.35C
          • (2)  Breach of Security Affecting a PHR Vendor or Service Provider of PHR Vendor  3.35D
            • (a)   Definitions  3.35E
            • (b)   Notice requirements  3.35F
            • (c)  Content and Timing of the Notice  3.35G
      • 2.  Gramm-Leach-Bliley Act (GLBA)  3.36
        • a.  FTC Safeguards Rule  3.37
        • b.  Requirements for Security Plan Under FTC Safeguards Rule
          • (1)  Elements  3.38
          • (2)  Contracts With Third Party Service Providers  3.39
      • 3.  Red Flags Rule  3.40
      • 4.  Address Discrepancy Rule  3.41
      • 5.  Online Businesses: Children’s Online Privacy Protection Act (COPPA)  3.42
      • 6.  Sarbanes-Oxley Act  3.43
      • 7.  Dodd-Frank Wall Street Reform and Consumer Protection Act  3.43A
      • 8.  Contracts
        • a.  Privacy Statements  3.43B
        • b.  Data Use Agreements  3.43C
  • IV.  OBLIGATION TO DISCLOSE A SECURITY BREACH
    • A.  California’s Security Breach Disclosure Law  3.44
      • 1.  Who Must Comply?  3.45
      • 2.  What “Personal Information” Is Covered?  3.46
      • 3.  What Is a “Breach”?  3.47
      • 4.  What Notice Is Required?  3.48
      • 5.  When Must Notification Be Made?  3.49
      • 6.  What Information the Notice Must Contain  3.49A
      • 7.  Form: Model Security Breach Notification  3.49B
      • 8.  Notification to the State Attorney General  3.49C
    • B.  Laws in Other Jurisdictions  3.50
    • C.  Addressing Breach Disclosure Issues  3.51
  • V.  THE INFORMATION SECURITY PLAN  3.52
    • A.  Developing a Security Plan  3.53
      • 1.  Identify a Responsible Party  3.54
      • 2.  Assess the Assets to Be Protected  3.55
      • 3.  Assess the Risk to These Assets  3.56
      • 4.  Record the Plan
        • a.  Understand Types of Security Measures  3.57
        • b.  Select Appropriate Security Measures  3.58
        • c.  Additional Characteristics of Plan  3.59
      • 5.  Implement and Train  3.60
      • 6.  Audit, Test, and Monitor Effectiveness  3.61
      • 7.  Conduct Periodic Revisions and Adjustments  3.62
    • B.  Maintaining Security in Relationships With Third Party Service Providers  3.63
    • C.  Monitor Legal Developments  3.64

4

Internet and Electronic Privacy

Denise Olrich

  • I.  SCOPE OF CHAPTER  4.1
  • II.  PRIVACY PROTECTIONS FOR PERSONAL INFORMATION
    • A.  What Is “Personal Information”?  4.2
    • B.  How Do Businesses Collect Personal Information?  4.3
    • C.  Business Obligations to Protect Personal Information  4.4
      • 1.  California Reasonable Security Procedures and Practices Law  4.5
      • 2.  California Social Security Numbers Confidentiality Law  4.6
      • 3.  California Public Safety Officials Home Protection Act  4.7
      • 4.  California Insurance Information and Privacy Protection Act  4.8
      • 5.  Video Rentals
        • a.  Federal Video Privacy Protection Act (VPPA)
          • (1)  Prohibitions, Remedies, and Definitions  4.9
          • (2)  Cases Under the VPPA  4.9A
        • b.  California Law on Nondisclosure of Video Sales or Rentals  4.10
      • 6.  Electronic Surveillance in Rental Cars  4.11
      • 7.  California Consumer Privacy Act of 2018  4.11A
      • 8.  Other Consumer Protections  4.12
  • III.  INTERNET AND COMPUTER PRIVACY PROTECTIONS FOR BUSINESSES AND OTHERS
    • A.  California Comprehensive Computer Data Access and Fraud Act  4.13
      • 1.  Criminal Penalties
        • a.  Fines and Imprisonment  4.14
        • b.  Forfeiture  4.15
      • 2.  Civil Actions  4.16
      • 3.  Cases Under Comprehensive Computer Data Access and Fraud Act  4.17
    • B.  Federal Computer Fraud and Abuse Act (CFAA)  4.18
      • 1.  Civil Remedies Under CFAA  4.19
      • 2.  Criminal Penalties Under CFAA  4.20
      • 3.  Cases Under CFAA  4.21
    • C.  Other State Law Protections for Individual Information  4.21A
  • IV.  HOW MAY A BUSINESS MEET ITS OBLIGATIONS?
    • A.  Website Privacy Policies: California’s Online Privacy Protection Act of 2003 (OPPA)  4.22
      • 1.  Who Is an “Operator” Under OPPA?  4.23
      • 2.  What Is “Personally Identifiable Information” Under OPPA?  4.24
      • 3.  Contents of the Privacy Policy Required by OPPA  4.25
      • 4.  Form: Website Privacy Policy  4.26
      • 5.  Display of Privacy Policy  4.27
      • 6.  Failure to Comply With OPPA  4.28
      • 7.  Other Website Privacy Policy Requirements  4.29
    • B.  General Review of Security Procedures  4.30
    • C.  Physical Security Measures  4.31
    • D.  Evaluation of Data Collected and Methods of Collection  4.32
    • E.  Review of Data Maintenance and Destruction Policies  4.33
    • F.  Checklist: Steps for California Businesses to Meet Obligation to Protect Personal Customer Information  4.34
  • V.  ELECTRONIC COMMUNICATIONS PRIVACY  4.35
    • A.  California Law Governing Electronic Eavesdropping and Wiretapping: Invasion of Privacy Act  4.36
      • 1.  Specific Prohibitions of Act: Pen C §§631–632.01  4.37
      • 2.  Penalties  4.38
      • 3.  Application to Cell Phones and VoIP  4.39
      • 4.  Application to Out-of-State Businesses  4.40
    • B.  California Electronic Communications Privacy Act  4.40A
    • C.  Federal Electronic Communications Privacy Act of 1986 (ECPA)
      • 1.  Components of ECPA: Wiretap Act and Stored Communications Act (SCA)  4.41
      • 2.  Wiretap Act  4.42
      • 3.  SCA  4.43
      • 4.  Consequences of Violating Wiretap Act or SCA   4.44
      • 5.  Cases Under ECPA, Wiretap Act, and SCA  4.45
    • D.  Protections for Cable Subscribers
      • 1.  Federal Cable Communications Policy Act  4.46
      • 2.  California Prohibitions on Disclosures by Cable Providers (Pen C §637.5)  4.47
    • E.  Federal Communications Decency Act (CDA)
      • 1.  Immunity Provisions of CDA  4.48
      • 2.  Cases Under CDA  4.49
    • F.  Federal Telecommunications Act of 1996  4.50
    • G.  Federal Telephone Customer Protection Act (TCPA)  4.51
    • H.  California Telecommunications Customer Privacy Act  4.52
    • I.  Pretexting
      • 1.  California Pretexting Law  4.53
      • 2.  Federal Pretexting Law  4.54
    • J.  Social Networking Sites [Deleted]  4.55
    • K.  Behavioral Marketing  4.55A
    • L.  Mobile Devices and Mobile Applications  4.55B
  • VI.  ENFORCEMENT OF BUSINESS OBLIGATIONS AFFECTING PERSONAL INFORMATION
    • A.  FTC Privacy Initiatives  4.56
    • B.  Cybersecurity Act of 2015  4.56A
    • C.  United States Attorney General Enforcement  4.57
    • D.  California Attorney General Enforcement  4.57A
    • E.  Consumer Finance Protection Bureau Enforcement  4.57B
    • F.  Table: Statutory Remedies for Violations of Internet and Electronic Privacy Provisions  4.58

5

Marketing and Sales Regulation

Jonathan D. Avila

Catherine D. Meyer

  • I.  SCOPE OF CHAPTER  5.1
  • II.  OVERVIEW: PERSONAL INFORMATION FOR MARKETING PURPOSES
    • A.  Collection, Use, and Sharing of Information for Marketing  5.2
    • B.  Protection of Personal Information for Marketing  5.2A
  • III.  COLLECTION OF MARKETING INFORMATION
    • A.  How Information Is Collected  5.3
    • B.  Children’s Online Privacy Protection Act (COPPA)
      • 1.  COPPA Statutes, Implementing Rules, Enforcement, and Coverage  5.4
      • 2.  Scope of Covered Activities
        • a.  Use of Site or Service on the Internet; “Operator” Defined  5.5
        • b.  Application to Website or Online Service Operated for Commercial Purposes in Interstate or Foreign Commerce  5.6
        • c.  “Personal Information” Defined  5.7
        • d.  “Collection” Defined  5.8
        • e.  Determining COPPA’s Application to Children
          • (1)  Information From a Child  5.9
          • (2)  The “Actual Knowledge” Standard for General Audience Websites  5.9A
          • (3)  Definition of Websites “Directed to Children”  5.10
          • (4)  Exception for Websites and Online Services That Are “Directed to Children,” But Do Not “Target Children as Their Primary Audience”  5.11
          • (5)  Sites and Services Targeted at Teenagers [Deleted]  5.12
        • f.  Substantive Restrictions on Information Collection  5.13
        • g.  “Disclosure” to a “Third Party”  5.14
      • 3.  Compliance Requirements
        • a.  Notice of Data Collection Practices and Parental Rights  5.15
        • b.  Posting a Privacy Notice  5.16
        • c.  Contents of Privacy Notice  5.17
        • d.  Form: Sample Children’s Website Privacy Policy  5.18
        • e.  Providing Notice Directly to a Parent  5.19
        • f.  Verifiable Parental Consent  5.20
        • g.  The “Sliding Scale” of Obtaining Parental Consent
          • (1)  If Child’s Information Will Be Disclosed to Third Parties; High-Level Consent  5.21
          • (2)  If Child’s Information Will Not Be Disclosed to Third Parties; “E-mail Plus” Method  5.22
        • h.  Exceptions to “Prior Verifiable Parental Consent”  5.23
        • i.  Parental Access, Objection, and Deletion Rights  5.24
        • j.  Information Security Procedures  5.25
        • k.  Obligation to Release Information Only to Capable Third Parties  5.25A
        • l.  Data Retention Limitation and Secure Destruction Obligation  5.25B
        • m.  Safe Harbor Programs  5.26
      • 4.  Enforcement  5.27
      • 5.  Examples of FTC Consent Decrees  5.28
      • 6.  FTC’s Proposed COPPA Revisions [Deleted]  5.28A
      • 7.  Checklist: COPPA Compliance  5.29
    • C.  Supermarket Club Cards  5.30
    • D.  Collecting Personal Information at the Cash Register
      • 1.  Payment by Check  5.31
      • 2.  Payment by Credit Card: Song-Beverly Credit Card Act  5.32
        • a.  Personal Information Retailers May Not Collect During Payments by Credit Card  5.33
        • b.  Exceptions: When Retailers May Collect Personal Information During Payments by Credit Card  5.34
        • c.  Online and Other Indirect Transactions  5.34A
        • d.  Penalties for Violation  5.35
    • E.  Radio Frequency Identification Technology (RFID)  5.36
    • F.  Spyware: Consumer Protection Against Spyware Act  5.37
  • IV.  USE OF INFORMATION
    • A.  Unsolicited Commercial E-mail: Spam  5.38
      • 1.  Federal CAN-SPAM Law: What It Prohibits  5.39
        • a.  Definitions
          • (1)  “Commercial E-mail”  5.40
          • (2)  “Transactional or Relationship Message” and “Primary Purpose”  5.41
          • (3)  “Sender”  5.42
        • b.  Required Contents of Commercial E-mail  5.43
        • c.  Opt-Out Requirement  5.44
        • d.  Form: Opt-Out Notice  5.45
        • e.  Advertising E-mail  5.46
        • f.  Sexually Oriented E-mail  5.47
        • g.  Prohibited Contents of Commercial E-mail  5.48
        • h.  Application to Wireless Devices  5.49
        • i.  Enforcement  5.50
        • j.  CAN-SPAM Preemption of State Law  5.51
      • 2.  California’s Anti-Spam Legislation
        • a.  Prohibited Activities  5.52
        • b.  Who May Enforce; Penalties  5.53
    • B.  Do-Not-Call Registries  5.54
      • 1.  Federal Prohibitions Against Telemarketing: Telephone Consumer Protection Act (TCPA) and Telemarketing and Consumer Fraud Protection Act  5.55
        • a.  Application of TCPA
          • (1)  Prohibitions and Exceptions  5.56
          • (2)  Who Is a Caller  5.56A
          • (3)  What Constitutes the Required “Consent”  5.56B
          • (4)  Established Business Relationship  5.56C
          • (5)  “Dual Purpose” Calls  5.56D
          • (6)  Withdrawal of Consent to Receive Text Messages  5.56E
          • (7)  Do-Not-Call Registry  5.56F
        • b.  Automated Calls  5.56G
        • c.  Compliance Requirements  5.57
        • d.  Enforcement  5.58
        • e.  Effect on State Laws  5.59
      • 2.  California’s Do-Not-Call Law
        • a.  Prohibited Activities  5.60
        • b.  Exceptions  5.61
        • c.  Enforcement  5.62
    • C.  Prerecorded Phone Calls  5.63
    • D.  Do-Not-Fax Laws
      • 1.  TCPA Prohibitions Against Unsolicited Faxes  5.64
      • 2.  California’s Unsolicited Fax Law
        • a.  Prohibited Activities  5.65
        • b.  Exceptions  5.66
    • E.  Marketing to Children
      • 1.  Federal Restrictions on Internet Collection and Use of Information From Children Under Age 13  5.67
      • 2.  California Restrictions on Use of Information From Children Under Age 16  5.68
      • 3.  California’s Privacy Rights for Minors in the Digital World Law  5.68A
    • F.  Child Registries in Other States  5.69
  • V.  TRANSFER OF INFORMATION  5.70
    • A.  California’s “Shine the Light” Law  5.71
      • 1.  Intent and Coverage of Law; Compliance Considerations  5.72
      • 2.  California Businesses Subject to Law  5.73
      • 3.  Out-of-State Businesses Subject to Law  5.74
      • 4.  Simplest Means of Compliance: Opt-In/Opt-Out Customer Rights  5.75
      • 5.  Definitions and Application of Law
        • a.  “Personal Information” Defined  5.76
        • b.  “Customer” and “Established Business Relationship” Defined  5.77
        • c.  “Disclosure” to “Third Parties” Defined  5.78
        • d.  “Direct Marketing Purposes” Defined  5.79
      • 6.  Exclusions and Exceptions to Law  5.80
      • 7.  Joint Collection of Personal Information  5.81
      • 8.  Individuals Entitled to Request Information-Sharing Statement  5.82
      • 9.  Making and Responding to Request for Information-Sharing Disclosure  5.83
        • a.  Obligation of Businesses to Designate Means for Making Requests
          • (1)  Designating Contact Points for Customers to Submit Requests  5.84
          • (2)  Publicizing Contact Points; Three Alternatives  5.85
          • (3)  Advantages of Second Alternative for Publicizing Contact Points  5.86
        • b.  Content of Information-Sharing Disclosure  5.87
        • c.  Format of Information-Sharing Disclosure Statement
          • (1)  Two Sets of Data  5.88
          • (2)  Categories of Personal Information  5.89
          • (3)  Information About Third Parties  5.90
        • d.  Form: Sample Information-Sharing Disclosure Statement; Nonaffiliated Entities  5.91
        • e.  Special Rule for Disclosures to Certain Affiliated Entities  5.92
        • f.  Form: Sample Information-Sharing Disclosure Statement; Affiliated Entities  5.93
        • g.  Delivery and Timing of Responses to Customer Requests for Information-Sharing Disclosure Statements  5.94
      • 10.  Penalties  5.95
    • B.  California Insurance Information and Privacy Protection Act  5.96

6

Financial Data Privacy

  • I.  SCOPE OF CHAPTER  6.1
  • II.  GRAMM-LEACH-BLILEY ACT (GLBA)  6.2
    • A.  Explanation of GLBA
      • 1.  Mandates of GLBA  6.3
      • 2.  Definitions Under GLBA  6.4
    • B.  Financial Privacy Rule (Notice to Consumers)  6.5
      • 1.  Safe Harbor Model Privacy Form  6.5A
      • 2.  “Financial Institutions” Must Give Notice  6.6
      • 3.  Required Contents of Notice  6.7
      • 4.  Sharing Information With Nonaffiliated Third Parties
        • a.  General Rule  6.8
        • b.  Exceptions
          • (1)  When Financial Institutions May Disclose Nonpublic Personal Information  6.9
          • (2)  Limits on Sharing Account Number  6.10
          • (3)  Limits on Reuse of Information  6.11
      • 5.  Customer Opt-Out Provisions  6.12
    • C.  Safeguards Rule  6.13
    • D.  Consequences of Failure to Comply With GLBA  6.14
  • III.  FAIR CREDIT REPORTING ACT (FCRA) AND FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)
    • A.  Purpose and General Requirements; Applicability  6.15
    • B.  Definitions  6.16
      • 1.  Definition of Consumer  6.17
      • 2.  Consumer Report
        • a.  Definition of “Consumer Report”  6.18
        • b.  Exceptions to Definition  6.19
      • 3.  Definition of Consumer Reporting Agency  6.20
      • 4.  Definition of Furnisher  6.20A
      • 5.  Definition of Accuracy  6.20B
      • 6.  Definition of Integrity  6.20C
      • 7.  Definition of Direct Dispute  6.20D
    • C.  Requirements for Furnishers  6.20E
    • D.  Requirements for Consumer Reporting Agencies
      • 1.  Permissible Purposes for Which Consumer Reporting Agencies May Furnish Consumer Reports  6.21
      • 2.  Restriction on Certain Information in Credit Reports  6.22
      • 3.  Prescreening; Opt-Out  6.23
      • 4.  Notice and Disclosure Requirements  6.24
        • a.  Notice to Furnishers and Users of Information  6.25
        • b.  Free Credit Reports; Required Disclosures to Consumers; Required Summary of Consumer Rights  6.26
        • c.  Disclosures to Government  6.27
      • 5.  Limitations on Medical Information in Consumer Reports  6.28
      • 6.  Additional Requirements for Credit Reporting Agencies  6.29
    • E.  Special Requirements for Investigative Consumer Reports  6.30
      • 1.  Person Requesting Investigative Consumer Report Must Make Disclosure  6.31
      • 2.  Restrictions on Information in Investigative Reports  6.32
    • F.  Identity Theft Prevention Requirements  6.33
    • G.  Use of Consumer Reports for Employment  6.34
    • H.  Limitations on Sharing Consumer Credit Information Among Affiliates  6.35
      • 1.  Sharing With Affiliates for Nonmarketing Purposes (Affiliate Sharing)  6.36
      • 2.  Sharing With Affiliates for Marketing Purposes (Affiliate Marketing)  6.37
    • I.  Requirements for Users of Consumer Reports That Take Adverse Action  6.38
    • J.  Requirements for Resellers of Consumer Reports  6.39
    • K.  Consumer Rights to Dispute Reported Information  6.40
    • L.  Disposal of Records  6.41
    • M.  FCRA Preemption of California Law  6.42
    • N.  Penalties and Remedies for FCRA Violations  6.43
    • O.  How Institutions Are Checked for FCRA Compliance  6.44
  • IV.  FEDERAL AND CALIFORNIA RIGHT TO FINANCIAL PRIVACY ACTS
    • A.  Federal Right to Financial Privacy Act  6.45
    • B.  California Right to Financial Privacy Act  6.46
  • V.  CALIFORNIA FINANCIAL INFORMATION PRIVACY ACT
    • A.  Relation to GLBA; Definition of “Nonpublic Personal Information”  6.47
    • B.  Prohibitions on Disclosing Consumer Information to Nonaffiliates; Notice and Opt-Out Provisions  6.48
    • C.  Exceptions to Prohibitions  6.49
  • VI.  CONSUMER CREDIT REPORTING AGENCIES ACT (CCRAA) AND INVESTIGATIVE CONSUMER REPORTING AGENCIES ACT (ICRAA)
    • A.  Applicability of CCRAA and ICRAA  6.50
    • B.  Consumer Credit Reporting Agencies Act (CCRAA)  6.51
      • 1.  Summary of Major CCRAA Provisions  6.52
      • 2.  Remedies  6.53
    • C.  Investigative Consumer Reporting Agencies Act (ICRAA)  6.54
  • VII.  AREIAS CREDIT CARD FULL DISCLOSURE ACT OF 1986  6.55
  • VIII.  USA PATRIOT ACT  6.56
  • IX.  BANK SECRECY ACT (BSA) AND ITS ANTI-MONEY LAUNDERING (AML) LAWS
    • A.  Explanation of BSA  6.57
    • B.  BSA Requirements
      • 1.  Records That Must Be Maintained by Financial Institutions  6.58
      • 2.  Transactions That Must Be Reported  6.59
      • 3.  Individual Reporting Obligations  6.60
      • 4.  Immunity From Liability for Disclosures  6.61
      • 5.  Penalties for Violating BSA  6.62
  • X.  BUSINESSES THAT HANDLE CREDIT AND DEBIT CARDS—PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS)
    • A.  What Are the PCI DSS?  6.63
    • B.  Checklist: PCI DSS Requirements  6.64
    • C.  Payment Application Data Security Standard (PA-DSS)  6.65
    • D.  Payment Card Industry Forensic Investigator (PFI)  6.66

7

Health Information Privacy

Paul T. Smith

  • I.  SCOPE OF CHAPTER  7.1
  • II.  OVERVIEW: SOURCES OF LEGAL OBLIGATION TO KEEP HEALTH INFORMATION PRIVATE
    • A.  California Constitution  7.2
    • B.  Information Practices Act of 1977  7.3
    • C.  California’s Confidentiality of Medical Information Act (CMIA)
      • 1.  Application of CMIA in General  7.4
      • 2.  Exemptions From CMIA for Certain Health Information  7.5
        • a.  Mental Health and Developmental Disability Information  7.6
        • b.  Public Health Services  7.7
        • c.  Alcohol and Drug Abuse Information  7.8
        • d.  Information Concerning Communicable Diseases  7.9
        • e.  Other Information Exempt From the CMIA  7.10
    • D.  HIPAA Privacy Rule  7.11
      • 1.  Application of HIPAA Privacy Rule in General  7.12
      • 2.  HIPAA Preemption Scheme  7.13
    • E.  The Health Information Technology for Economic and Clinical Health Act (HITECH Act)  7.13A
    • F.  Laws Governing Specific Health Information  7.14
    • G.  Laws Governing Security of Health Information
      • 1.  HIPAA Security Standards  7.15
      • 2.  The HITECH Act’s Notice of Security Breach Requirements  7.15A
        • a.  Definition of “Breach”  7.15B
        • b.  Timing of Notice of Breach  7.15C
        • c.  Contents of Notice of Breach  7.15D
        • d.  Who Must Be Notified and Manner of Notice  7.15E
        • e.  Preemption  7.15F
      • 3.  FACTA Red Flags Rule  7.15G
      • 4.  California Health Information Security and Breach Notification Laws  7.16
  • III.  COVERED ENTITIES  7.17
    • A.  Entities Covered Under Confidentiality of Medical Information Act (CMIA)
      • 1.  Certain Health Care Professionals and Institutional Health Care Providers  7.18
      • 2.  Certain Health Plans  7.19
      • 3.  Certain Contractors of Health Professionals and Health Plans  7.20
      • 4.  Health Record Providers  7.21
      • 5.  Employers  7.22
      • 6.  Certain Recipients of Health Information  7.23
    • B.  Entities Covered Under HIPAA Privacy Rule
      • 1.  Health Care Providers  7.24
      • 2.  Health Plans  7.25
      • 3.  Health Care Clearinghouses  7.26
      • 4.  Medicare Part D Drug Card Sponsors  7.27
    • C.  Comparison: Covered Entities Under CMIA and HIPAA  7.28
  • IV.  PROTECTED INFORMATION
    • A.  Individually Identifiable Health Information  7.29
    • B.  De-identified Information  7.30
      • 1.  De-identified Information Under HIPAA Privacy Rule
        • a.  De-identification Methods  7.31
        • b.  Contractor May De-identify Information  7.32
      • 2.  CMIA  7.33
    • C.  Limited Data Set  7.34
    • D.  No Disclosure or Use of Protected Health Information Unless Required or Permitted  7.35
      • 1.  HIPAA Privacy Rule  7.36
      • 2.  Under the CMIA  7.37
  • V.  REQUIRED DISCLOSURE OF HEALTH INFORMATION  7.38
    • A.  On Individual’s Proper Request  7.39
    • B.  To Ascertain Privacy Rule Compliance  7.40
    • C.  When Required by Law  7.41
  • VI.  PERMITTED DISCLOSURES OF HEALTH INFORMATION
    • A.  Disclosure Required by Law  7.42
    • B.  Treatment  7.43
    • C.  Facility Directories
      • 1.  HIPAA Privacy Rule  7.44
      • 2.  CMIA  7.45
    • D.  Disclosure to Friends and Family  7.46
    • E.  Notification and Disaster Relief  7.47
    • F.  Payment  7.48
    • G.  Health Care Operations
      • 1.  The Covered Entity’s Operations
        • a.  HIPAA Privacy Rule  7.49
        • b.  CMIA  7.50
      • 2.  The Recipient’s Operations  7.51
    • H.  Marketing  7.52
      • 1.  HIPAA Privacy Rule and Marketing  7.53
      • 2.  CMIA and Marketing  7.54
    • I.  Fundraising
      • 1.  HIPAA Privacy Rule on Fundraising  7.55
      • 2.  CMIA on Fundraising  7.56
    • J.  Research
      • 1.  HIPAA Privacy Rule on Research  7.57
        • a.  Research Defined  7.58
        • b.  When Authorization Not Necessary  7.59
      • 2.  CMIA on Research  7.60
    • K.  Judicial and Administrative Proceedings  7.61
      • 1.  Use by Covered Entity  7.62
      • 2.  Third Party Legal Proceedings
        • a.  Under Court Order  7.63
        • b.  Without Court Order  7.64
          • (1)  HIPAA Privacy Rule  7.65
          • (2)  CMIA: Notice to Consumer  7.66
    • L.  Disclosure for Public Health Activities
      • 1.  HIPAA Privacy Rule on Public Health Activities  7.67
      • 2.  CMIA on Public Health Activities  7.68
    • M.  Victims of Abuse
      • 1.  HIPAA Privacy Rule on Abuse  7.69
      • 2.  California Law on Abuse  7.70
    • N.  Health Oversight Activities
      • 1.  HIPAA Privacy Rule on Oversight Activities  7.71
      • 2.  CMIA on Oversight Activities  7.72
    • O.  Law Enforcement Purposes
      • 1.  HIPAA Privacy Rule on Disclosure for Law Enforcement  7.73
      • 2.  California Law on Disclosure for Law Enforcement  7.74
    • P.  Decedents  7.75
    • Q.  Organ Procurement  7.76
    • R.  Imminent Threat to Health or Safety
      • 1.  HIPAA Privacy Rule on Imminent Threat  7.77
      • 2.  California Law on Imminent Threat  7.78
    • S.  Specialized Government Functions  7.79
  • VII.  PROHIBITION ON SALE OF ELECTRONIC HEALTH RECORDS OR PROTECTED HEALTH INFORMATION UNDER HIPAA PRIVACY RULE  7.79A
  • VIII.  VERIFICATION REQUIREMENTS UNDER HIPAA PRIVACY RULE  7.80
  • IX.  DISCLOSURES REQUIRING AUTHORIZATION UNDER HIPAA PRIVACY RULE
    • A.  When Authorization Is Required  7.81
      • 1.  Conditioning Benefits on Authorization  7.82
      • 2.  Revoking Authorization  7.83
      • 3.  Keeping Authorization  7.84
    • B.  Authorization Requirements  7.85
      • 1.  Required Elements Under HIPAA Privacy Rule and CMIA  7.86
      • 2.  Additional Considerations  7.87
    • C.  Form: Authorization for the Use and/or Disclosure of Protected Health Information  7.88
  • X.  SPECIALLY PROTECTED INFORMATION UNDER HIPAA PRIVACY RULE  7.89
    • A.  Mental Health Information  7.90
    • B.  Information on Persons With Developmental Disabilities  7.91
    • C.  Information Concerning HIV/AIDS Testing  7.92
    • D.  Genetic Testing Information
      • 1.  California Law  7.92A
      • 2.  Federal Law  7.92B
    • E.  Alcohol and Drug Abuse Treatment Information
      • 1.  Federal Regulations  7.93
        • a.  When Federal Regulations Apply  7.94
        • b.  Information Covered  7.94A
        • c.  Disclosure Requirements  7.95
        • d.  When Disclosure Is Permitted Without Patient’s Written Consent  7.96
        • e.  When Disclosure Requires Patient’s Written Consent  7.96A
        • f.  Preemption  7.97
      • 2.  California Law  7.98
    • F.  Psychotherapy Notes and Services
      • 1.  HIPAA Privacy Rule  7.99
      • 2.  California Law  7.100
  • XI.  SPECIAL RULES
    • A.  Personal Representatives
      • 1.  HIPAA Privacy Rule  7.101
      • 2.  California Law  7.102
    • B.  Incidental Disclosures  7.103
    • C.  Minimum Necessary Disclosure  7.104
    • D.  Disclosure to Contractors
      • 1.  CMIA Regulation of Medical Information Recipients  7.105
      • 2.  Business Associates Under HIPAA and HITECH Act  7.106
        • a.  When Business Associate Contract Is Required  7.107
        • b.  Who Are Not Business Associates  7.108
        • c.  Requirements for HIPAA Business Associate Contract  7.109
        • d.  Form: Sample Business Associate Agreement  7.109A
    • E.  Employers and Group Health Plans
      • 1.  Disclosure of Protected Health Information by Covered Entity to Individual’s Employer  7.110
      • 2.  Use and Disclosure of Employment Records Containing Health Information  7.111
    • F.  Health Insurers  7.112
  • XII.  INDIVIDUAL RIGHTS  7.113
    • A.  Notice of Privacy Practices Under HIPAA Privacy Rule  7.114
      • 1.  Provision of Notice
        • a.  When and Where Notice Must Be Provided  7.115
        • b.  Joint Notice  7.116
        • c.  Retention  7.117
      • 2.  Content of Notice  7.118
      • 3.  Revisions to Notice  7.119
    • B.  Right to Access and Copy  7.120
      • 1.  To Which Records Does Right Apply?  7.121
      • 2.  What Must Provider Supply?  7.122
      • 3.  Access to Electronic Health Records  7.122A
      • 4.  Third-Party Recipient  7.122B
      • 5.  Denial of Access
        • a.  HIPAA Privacy Rule  7.123
        • b.  California Law  7.124
    • C.  Right to Amend  7.125
      • 1.  HIPAA Privacy Rule  7.126
      • 2.  California Law  7.127
    • D.  Right to Accounting of Disclosures  7.128
    • E.  Right to Request Additional Restrictions  7.129
    • F.  Right to Confidential Communications  7.130
  • XIII.  ADMINISTRATIVE REQUIREMENTS OF HIPAA PRIVACY RULE  7.131
    • A.  Personnel, Policies, and Training  7.132
    • B.  Safeguards and Protections  7.133
    • C.  Documentation  7.134
  • XIV.  ENFORCEMENT
    • A.  HIPAA Privacy Rule Enforcement  7.135
    • B.  CMIA Enforcement  7.136

8

Workplace Privacy

Ronald J. Souza

  • I.  SCOPE OF CHAPTER  8.1
  • II.  BASIC SOURCES OF EMPLOYEE PRIVACY RIGHTS
    • A.  Constitutions
      • 1.  State Constitution  8.2
      • 2.  Federal Constitution  8.3
    • B.  Statutes  8.4
    • C.  Common Law  8.5
    • D.  Contractual Provisions  8.6
  • III.  PRE-EMPLOYMENT AND OTHER INQUIRIES  8.7
    • A.  Inquiries Into Areas Protected by Fair Employment Laws
      • 1.  Statutory Provisions  8.8
      • 2.  Inquiries in General  8.9
      • 3.  Inquiries About Mental or Physical Condition Before Offer Is Made  8.10
    • B.  Inquiries Into Other Protected Areas
      • 1.  Politics  8.11
      • 2.  Union Activity  8.12
    • C.  Inquiries About Criminal History  8.13
      • 1.  Convictions and Arrests  8.14
      • 2.  Specified Marijuana-Related Convictions  8.15
      • 3.  Convictions Older Than 7 Years (CC §1786.18(a)(7))  8.16
      • 4.  Particular Employers
        • a.  Community Care Facilities  8.17
        • b.  Health Care Facilities  8.18
        • c.  Banks  8.18A
  • IV.  BACKGROUND AND CREDIT CHECKS  8.19
    • A.  Federal: Fair Credit Reporting Act  8.20
      • 1.  Notice of Intent to Request Consumer Report  8.21
      • 2.  Notice of Intent to Request “Investigative Consumer Report”  8.22
      • 3.  Notice of Adverse Action  8.23
      • 4.  Exception for Employee Misconduct and Other Investigations  8.24
      • 5.  Consequences of Failure to Comply With Fair Credit Reporting Act  8.25
      • 6.  Protecting Consumer Report Information From Disclosure  8.26
    • B.  State: Consumer Credit Reporting Agencies Act and Investigative Consumer Reporting Agencies Act  8.27
      • 1.  Consumer Credit Report Notice Requirement  8.28
      • 2.  Investigative Consumer Report Notice Requirement  8.29
      • 3.  When Employer (Not Agency) Assembles Public Record Information  8.30
      • 4.  Limits on Information That May Be Reported  8.31
      • 5.  Notice of Adverse Action  8.32
      • 6.  Exception From Notice Requirement for Employee Misconduct Investigations  8.33
      • 7.  Consequences of Violation  8.34
  • V.  MEDICAL INFORMATION
    • A.  Medical Examination Before Employment but After Offer  8.35
    • B.  Fitness-for-Duty Exams  8.36
    • C.  AIDS Testing and Inquiry  8.37
    • D.  Psychological Testing
      • 1.  Pre-Offer  8.38
      • 2.  Post-Offer; Return to Work  8.39
      • 3.  Interplay With Confidentiality of Medical Information Act  8.40
    • E.  Genetic Information  8.41
    • F.  Information About Disabilities
      • 1.  During Application Process  8.42
      • 2.  Reasonable Accommodation  8.43
    • G.  Drug Testing  8.44
      • 1.  Pre-Employment  8.45
      • 2.  After Hiring  8.46
    • H.  Information About Alcohol, Drug, and Tobacco Use
      • 1.  In General  8.47
      • 2.  Accommodation for Rehabilitation Treatment  8.48
    • I.  Serious Health Conditions Under FMLA  8.48A
  • VI.  POLYGRAPHS, FINGERPRINTS, PHOTOGRAPHS, AND OTHER INFORMATION
    • A.  Lie Detector Tests (Polygraphs)  8.49
      • 1.  Federal Law  8.50
      • 2.  State Law  8.51
    • B.  Voice Stress Analysis  8.52
    • C.  Intelligence Tests  8.53
    • D.  Fingerprints and Photographs  8.54
      • 1.  Fingerprints  8.55
      • 2.  Photographs  8.56
      • 3.  Protecting Fingerprints and Photographs From Disclosure  8.57
  • VII.  WORKPLACE MONITORING AND EMPLOYEE SURVEILLANCE
    • A.  Monitoring Electronic Communications  8.58
      • 1.  Federal Eavesdropping Law  8.59
        • a.  Ordinary Course of Business  8.60
        • b.  Express or Implied Consent  8.61
        • c.  Stored E-Mail; Text Messages  8.62
        • d.  Consequence for Violation  8.63
      • 2.  State Eavesdropping Law  8.64
        • a.  Prohibited Forms of Eavesdropping  8.65
        • b.  Consequences for Violation  8.66
      • 3.  Monitoring Internet Use
        • a.  Accessing Websites on Company Computer  8.67
        • b.  Employee Use of Personal E-Mail Account at Work  8.67A
        • c.  Off-Duty Internet Activity  8.67B
        • d.  Social Networking
          • (1)  Employee Use of Social Networks  8.67C
          • (2)  Employer Use of Social Networks for Information on Job Applicants  8.67D
        • e.  Inadvertent Disclosure of Privileged Information  8.67E
    • B.  Workplace Surveillance
      • 1.  Surveillance of Restrooms and Similar Areas  8.68
      • 2.  Surveillance of Public and Work Areas  8.69
      • 3.  Tracking Devices  8.70
    • C.  Off-Duty Surveillance  8.71
    • D.  Undercover Shoppers  8.72
    • E.  Form: Sample Electronic Information Systems Policy  8.73
  • VIII.  WORKPLACE INVESTIGATIONS
    • A.  Employer Obligation to Investigate  8.74
    • B.  Workplace Searches  8.75
      • 1.  Offices and Other Work Spaces  8.76
      • 2.  Physical Searches of Employees  8.77
    • C.  Interrogations  8.78
    • D.  Best Practices When Conducting Workplace Investigations  8.79
  • IX.  LIFESTYLE REGULATION  8.80
    • A.  Workplace Conduct  8.81
    • B.  Family Relationships  8.82
    • C.  Nonfraternization Policies  8.83
    • D.  Personal Appearance  8.84
    • E.  Workplace Discussions  8.85
    • F.  Conflict of Interest  8.86
    • G.  Off-Duty Conduct  8.86A
  • X.  EMPLOYERS’ RESPONSIBILITIES REGARDING HANDLING OF INFORMATION
    • A.  Social Security Numbers  8.87
    • B.  Other Personal Information  8.88
      • 1.  Fingerprints and Photographs  8.89
      • 2.  Employee Entering Rehabilitation for Drug and Alcohol Abuse  8.90
    • C.  Disclosure to Third Parties  8.91
      • 1.  References  8.92
      • 2.  Responding to Subpoenas  8.93
      • 3.  Discussing Employee’s Termination  8.94
    • D.  Medical Information Confidentiality
      • 1.  ADA/FMLA  8.95
      • 2.  California Confidentiality of Medical Information Act (CMIA)  8.96
      • 3.  Health Insurance Portability and Accountability Act (HIPAA)  8.97
    • E.  Personnel Files  8.98
    • F.  Immigration Status and Inspections by Immigration Enforcement Agents  8.98A
  • XI.  LITIGATING WORKPLACE PRIVACY ISSUES  8.99

9

International Personal Data Protection and Transborder Transfers

Françoise Gilbert

  • I.  SCOPE OF CHAPTER  9.1
  • II.  CHALLENGES OF GLOBAL PRIVACY COMPLIANCE
    • A.  Understanding Data Protection Laws of Other Countries  9.2
    • B.  When Other Country Has No Data Protection Laws  9.3
  • III.  THE EUROPEAN UNION DATA PROTECTION FRAMEWORK
    • A.  Role of EU Directives  9.4
    • B.  EU Data Protection Reform  9.5
    • C.  Countries Adhering to EU Directives and Regulations  9.6
    • D.  Purpose of EU 1995 Data Protection Directive  9.7
  • IV.  THE EUROPEAN UNION GENERAL DATA PROTECTION REGULATION
    • A.  Objectives  9.8
    • B.  Material Scope  9.9
    • C.  Territorial Scope
      • 1.  Entities Established in EU  9.10
      • 2.  Entities Established Outside EU  9.11
      • 3.  Main Establishment of Controller or Processor  9.12
      • 4.  EU Representative  9.13
    • D.  Definitions
      • 1.  Data Subject  9.14
      • 2.  Data Controller  9.15
      • 3.  Data Processor  9.16
      • 4.  Data Protection Officer  9.17
      • 5.  Supervisory Authority  9.18
      • 6.  European Data Protection Board  9.19
      • 7.  European Data Protection Supervisor  9.20
    • E.  Principles Relating to the Processing of Personal Data
      • 1.  General Principles   9.21
      • 2.  Lawfulness of Processing
        • a.  Conditions for Lawfulness  9.22
        • b.  Consent as Basis for Lawful Processing  9.23
        • c.  Processing for Performance of a Contract  9.24
        • d.  Processing to Comply With Legal Obligation of Controller  9.25
        • e.  Processing for Legitimate Interest of Controller  9.26
        • f.  Processing of Special Categories of Data  9.27
        • g.  Conditions Applicable to Child’s Consent  9.28
    • F.  Rights of Data Subjects
      • 1.  General Rights  9.29
      • 2.  Right of Erasure or Right to Be Forgotten  9.30
    • G.  Obligations of Data Controllers
      • 1.  General Responsibilities of Data Controllers  9.31
      • 2.  Data Protection by Design  9.32
      • 3.  Data Protection by Default  9.33
      • 4.  Data Controllers’ Obligations Regarding Exercise of Data Subjects’ Rights  9.34
      • 5.  Data Controller’s Obligations Related to Right to Be Forgotten  9.35
      • 6.  Joint Controllers  9.36
      • 7.  Recordkeeping Requirements for Data Controllers  9.37
      • 8.  Cooperation With Supervisory Authority  9.38
    • H.  Obligations of Processors: Recordkeeping Requirements  9.39
    • I.  Engaging a Data Processor or Subprocessor  9.40
      • 1.  Written Contract Required  9.41
      • 2.  No Further Processing Permitted  9.42
      • 3.  Use of Subprocessors; Controller’s Prior Consent Required  9.43
    • J.  Security of Personal Data
      • 1.  Technical and Organizational Measures Required  9.44
      • 2.  Breach of Security  9.45
      • 3.  Breach Affecting Data Processor  9.46
      • 4.  Notification to Data Subjects by Data Controller  9.47
    • K.  Data Protection Impact Assessment
      • 1.  When Data Protection Impact Assessment Is Required  9.48
      • 2.  Content of Assessment  9.49
      • 3.  Prior Consultation of Supervisory Authority  9.50
    • L.  Data Protection Officer
      • 1.  Entities Required to Appoint Data Protection Officer  9.51
      • 2.  Qualifications of a Data Protection Officer  9.52
      • 3.  Status of Data Protection Officer  9.53
      • 4.  Tasks of Data Protection Officer  9.54
    • M.  Cross-Border Data Transfers  9.55
      • 1.  Transfers With Adequacy Decision  9.56
      • 2.  Transfers by Way of Appropriate Safeguards  9.57
        • a.  Safeguards That Do Not Require Authorization  9.58
        • b.  Safeguards That Require Authorization  9.59
      • 3.  Transfers by Way of Binding Corporate Rules  9.60
      • 4.  Transfers or Disclosures in Context of Litigation  9.61
      • 5.  Derogations for Specific Situations  9.62
    • N.  Remedies
      • 1.  Right to Lodge Complaint With Supervisory Authority  9.63
      • 2.  Right to Effective Judicial Remedy Against Supervisory Authority  9.64
      • 3.  Right to an Effective Judicial Remedy Against Controller or Processor  9.65
      • 4.  Right of Data Subjects to Mandate Not-for-Profit Organizations to Lodge Complaint on Their Behalf  9.66
      • 5.  Right to Compensation and Liability  9.67
        • a.  Administrative Fines
          • (1)  General Conditions for Imposing Administrative Fines  9.68
          • (2)  Amount of Administrative Fines  9.69
            • (a)  10 Million Euros or 2 Percent Annual Turnover Fines   9.70
            • (b)  20 Million Euros or 4 Percent Annual Turnover Fines  9.71
        • b.  Other Fines and Penalties   9.72
    • O.  Codes of Conduct and Certification   9.73
    • P.  Supervisory Authority  9.74
      • 1.  Tasks of Supervisory Authorities  9.75
      • 2.  Investigative Powers of Supervisory Authorities  9.76
      • 3.  Corrective Powers of Supervisory Authorities  9.77
      • 4.  Authorization and Advisory Powers of Supervisory Authorities  9.78
      • 5.  Cooperation With Other Supervisory Authorities  9.79
      • 6.  Lead Supervisory Authority
        • a.  Designation of Lead Supervisory Authority  9.80
        • b.  Cooperation Between Lead Authority and Other Concerned Supervisory Authorities  9.81
    • Q.  Establishment and Duties of European Data Protection Board  9.82
    • R.  Do Not Expect Uniformity in GDPR  9.83
  • V.  TRANSFERRING DATA OUT OF THE EUROPEAN UNION AND THE EUROPEAN ECONOMIC AREA
    • A.  The Privacy Shield  9.84
      • 1.  Self-Certification Process  9.85
      • 2.  Enforcement and Dispute Resolution  9.86
    • B.  Standard Contractual Clauses  9.87
    • C.  Binding Corporate Rules (BCRs) for International Data Transfers  9.88
      • 1.  Content of BCRs  9.89
      • 2.  DPA Cooperation Procedure  9.90
      • 3.  Additional Guidance for Preparation of BCRs  9.91
      • 4.  BCRs for Data Processors  9.92
    • D.  Cloud Computing in the European Economic Area  9.93
  • VI.  THE EUROPEAN UNION 2002 PRIVACY AND ELECTRONIC COMMUNICATIONS DIRECTIVE
    • A.  Recent Developments   9.94
    • B.  Purpose and Scope of 2002 Privacy and Electronic Communications Directive  9.95
    • C.  Unsolicited Commercial Messages
      • 1.  Automatic Calling Machines, Fax, E-mail, and Text Messages  9.96
      • 2.  Personal Telephone Calls  9.97
      • 3.  Identification of E-mail Sender Required  9.98
      • 4.  Right of Action for Electronic Communications Service Providers  9.99
    • D.  Cookies, Spyware, and Similar Devices  9.100
    • E.  Traffic Data  9.101
    • F.  Nonitemized Billing  9.102
    • G.  Blocking Caller Identification  9.103
    • H.  Location Data  9.104
    • I.  Confidentiality and Security
      • 1.  Confidentiality  9.105
      • 2.  Security  9.106
    • J.  Public Directories  9.107
  • VII.  DATA PROTECTION IN THE AMERICAS AND ASIA-PACIFIC
    • A.  The Asia-Pacific Economic Cooperation (APEC) Privacy Framework
      • 1.  Overview of APEC  9.108
      • 2.  Purpose and Scope of APEC Privacy Framework
        • a.  Purpose  9.109
        • b.  Scope  9.110
      • 3.  APEC Privacy Framework’s Information Privacy Principles  9.111
        • a.  Preventing Harm  9.112
        • b.  Notice  9.113
        • c.  Limitation on Collection  9.114
        • d.  Limitation on Use  9.115
        • e.  Choice  9.116
          • (1)  When Appropriate  9.117
          • (2)  Special Categories of Personal Information  9.118
        • f.  Integrity of Personal Information  9.119
        • g.  Security Safeguards  9.120
        • h.  Access and Correction  9.121
        • i.  Accountability  9.122
      • 4.  Enforcement  9.123
      • 5.  APEC Data Privacy Pathfinder and Cross-Border Privacy Rules (CBPR)  9.124
      • 6.  Relationship With Other Countries  9.125
    • B.  Australia’s Privacy Act 1988
      • 1.  Purpose and Scope  9.126
      • 2.  Australian Privacy Principles
        • a.  Collection  9.127
        • b.  Use and Disclosure of Data  9.128
        • c.  Data Quality and Data Security  9.129
        • d.  Openness  9.130
        • e.  Access and Correction  9.131
        • f.  Identifiers and Anonymity  9.132
        • g.  Transfers out of Australia  9.133
        • h.  Sensitive Information  9.134
      • 3.  Supervision, Enforcement, and Penalties  9.135
      • 4.  Other Provisions  9.136
      • 5.  Security Breach Notification  9.137
    • C.  Canada’s Personal Information Protection and Electronic Documents Act  9.138
      • 1.  Scope of Coverage  9.139
      • 2.  Data Collection and Use  9.140
      • 3.  Rights of the Individual  9.141
      • 4.  Confidentiality, Security, and Third Party Transfer  9.142
      • 5.  Supervision; Enforcement  9.143
    • D.  Canada’s Anti-Spam Law  9.144
    • E.  China  9.145
      • 1.  Chinese Laws Protecting Personal Information  9.146
      • 2.  Chinese Cybersecurity Law  9.147
    • F.  Hong Kong’s Personal Data Ordinance  9.148
      • 1.  Scope of Coverage  9.149
      • 2.  Data Collection, Accuracy, Retention, and Use  9.150
      • 3.  Security, Availability, and Access  9.151
      • 4.  Transfers of Data to Third Parties  9.152
      • 5.  Supervision and Enforcement  9.153
      • 6.  Use of Personal Data in Direct Marketing  9.154
      • 7.  Offenses  9.155
    • G.  India  9.156
      • 1.  General Requirements for Collection and Use of Personal information  9.157
      • 2.  Requirements for Collection and Use of Sensitive Data  9.158
    • H.  Japan’s Act on the Protection of Personal Information  9.159
      • 1.  Data Collection, Use, and Security  9.160
      • 2.  Rights of the Individual  9.161
      • 3.  Transfers to Third Parties and Transfers Outside Japan  9.162
      • 4.  Supervision and Enforcement  9.163
    • I.  Mexico  9.164
      • 1.  Definitions and Data Collected  9.165
      • 2.  Notice and Security  9.166
      • 3.  International Data Transfers  9.167
      • 4.  Enforcement of Right to Data Protection  9.168
    • J.  South Korea  9.169
    • K.  Malaysia  9.170
    • L.  Philippines
      • 1.  Data Privacy Act  9.171
        • a.  Principles of Data Privacy Act  9.172
        • b.  Security, Availability, and Access  9.173
      • 2.  Cybercrime Prevention Act  9.174
    • M.  Singapore  9.175
      • 1.  Data Collection, Retention, and Use  9.176
      • 2.  Security, Availability, and Access  9.177
      • 3.  Supervision and Enforcement  9.178
    • N.  Taiwan  9.179

10

Identity Theft

Matthew J. Cooney

Robert V. Hale II

  • I.  SCOPE OF CHAPTER  10.1
  • II.  IDENTITY THEFT DEFINED
    • A.  Use of Identifying Information of Another  10.2
    • B.  Types of Identity Theft
      • 1.  Financial Identity Theft  10.3
        • a.  Financial Identity Theft That Appears on Credit Reports  10.4
        • b.  Financial Identity Theft That Does Not Appear on Credit Reports  10.5
      • 2.  Criminal Identity Theft  10.6
      • 3.  Identity Cloning  10.7
      • 4.  Cyber Identity Theft  10.8
      • 5.  Business Identity Theft  10.9
      • 6.  Medical Identity Theft  10.9A
  • III.  HOW DOES IDENTITY THEFT OCCUR?  10.10
    • A.  Non-Electronic  10.11
    • B.  Electronic  10.12
  • IV.  FEDERAL IDENTITY THEFT LAWS APPLICABLE TO BUSINESSES
    • A.  Identity Theft Assumption and Deterrence Act  10.13
    • B.  Identity Theft Penalty Enhancement Act  10.14
    • C.  Gramm-Leach-Bliley Act  10.15
    • D.  Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA)  10.16
      • 1.  Free Credit Reports  10.17
      • 2.  Fraud Alerts  10.18
      • 3.  Credit Card Truncation  10.19
      • 4.  Blocking Identity Theft-Related Information  10.20
      • 5.  Coordination of Identity Theft Investigations  10.21
      • 6.  Heightened Standard of Accuracy for Furnishers  10.22
      • 7.  Furnisher Obligation to Prevent “Repollution”  10.23
      • 8.  Duty of Furnishers to Provide Transaction Information  10.24
      • 9.  Consumer Right to Dispute Accuracy With Furnisher  10.25
      • 10.  Prohibition on Resale of Identity Theft-Related Debts  10.26
      • 11.  Debt Collector Duty to Notify Creditor of Identity Theft  10.27
      • 12.  Red Flags Rule  10.28
      • 13.  Address Discrepancy Rule  10.29
      • 14.  Card Issuers Rule  10.30
      • 15.  Remedies  10.31
    • E.  Driver’s Privacy Protection Act  10.32
    • F.  Federal Trade Commission Act
      • 1.  FTC Prohibition Against Unfair or Deceptive Business Practices  10.33
      • 2.  FTC Enforcement Actions  10.34
    • G.  Health Insurance Portability and Accountability Act  10.35
  • V.  CALIFORNIA IDENTITY THEFT LAWS APPLICABLE TO BUSINESSES  10.36
    • A.  Criminal Laws
      • 1.  Improper Use of Personal Information  10.37
      • 2.  Impersonation  10.38
      • 3.  Crimes Related to Fraudulent Documentation  10.39
      • 4.  Racketeering  10.40
      • 5.  Criminal Statute of Limitations  10.41
      • 6.  Clearing an Identity Theft Victim’s Name  10.42
    • B.  Civil Laws
      • 1.  Laws Applicable to California Businesses Generally
        • a.  Business Duty to Protect Information  10.43
        • b.  Prohibited Uses of Social Security Numbers
          • (1)  When Businesses May Not Use Social Security Numbers  10.44
          • (2)  Other Prohibitions on Use of Social Security Numbers  10.45
          • (3)  Federal Prohibitions Applicable to California Businesses  10.45A
        • c.  Disposal Law  10.46
        • d.  Anti-Phishing Act  10.47
        • e.  Consumer Protection Against Computer Spyware Act  10.48
        • f.  Security Breach Notification Law  10.49
        • g.  Finanscial Information Privacy Act  10.50
        • h.  Notification of Disclosures for Business Information Sharing: “Shine the Light” Law  10.51
        • i.  Unfair and Deceptive Practices  10.52
      • 2.  Laws Applicable to Credit Reporting Agencies and Furnishers and Users of Credit Reports: The California Consumer Credit Reporting Agencies Act (CCRAA)  10.53
        • a.  Preemption by Federal Law  10.54
        • b.  Permitted Disclosure of Credit Reports  10.55
        • c.  Credit Information for Transactions Not Initiated by the Consumer  10.56
        • d.  Reasonable Procedures Required Before Releasing Consumer Credit Information  10.57
        • e.  Security Alert  10.58
        • f.  Security Freeze
          • (1)  Placing and Lifting a Security Freeze  10.59
          • (2)  When Security Freeze Does Not Apply  10.60
          • (3)  Credit Reporting Agency’s Obligations When Freeze in Place  10.61
        • g.  Blocking of Credit Information When Identity Theft Shown  10.62
        • h.  Notice of Rights  10.63
        • i.  Free Credit Reports  10.64
        • j.  Businesses’ Sales of Consumer Debt Resulting From Identity Theft  10.65
        • k.  Businesses’ Use of Credit Reports
          • (1)  Matching Credit Application Information With Consumer Credit Information  10.66
          • (2)  Honoring Identity Theft Notices  10.67
          • (3)  Remedies for Failure to Reconcile Credit Application Information or Failure to Honor Identity Theft Notice  10.68
      • 3.  Laws Applicable to Creditors
        • a.  Duty of Creditors to Cooperate With Victims  10.69
        • b.  Declaratory Relief Action  10.70
        • c.  Preapproved Solicitations  10.71
        • d.  Instant Loan Checks  10.72
        • e.  Changes of Address and Credit Cards  10.73
        • f.  Financial Institutions’ Duty to Cooperate With Law Enforcement  10.74
      • 4.  Laws Applicable to Debt Collectors  10.75
      • 5.  Laws Applicable to Merchants
        • a.  Credit Card Transaction Slips  10.76
        • b.  Information That Merchant May Require for Payments by Credit Card  10.77
        • c.  Driver’s Licenses  10.78
        • d.  Payments by Negotiable Instrument  10.79
      • 6.  Other Identity Theft-Related Laws
        • a.  Birth Certificates  10.80
        • b.  Records of Common Interest Developments  10.81
  • VI.  CLAIMS AND LIABILITY  10.82
    • A.  Negligence [Deleted]  10.83
      • 1.  California Statutory Duty of Care [Deleted]  10.84
      • 2.  When Duty of Care Applies [Deleted]  10.85
      • 3.  Negligent Enablement of Impostor Fraud [Deleted]  10.86
      • 4.  Assumption of Duty [Deleted]  10.87
      • 5.  Intervening Criminal Conduct [Deleted]  10.88
      • 6.  Negligent Failure to Notify [Deleted]  10.89
    • B.  Misrepresentation [Deleted]  10.90
    • C.  Invasion of Privacy [Deleted]  10.91
    • D.  Breach of Fiduciary Duty [Deleted]  10.92
    • E.  Infliction of Emotional Distress [Deleted]  10.93
    • F.  Defamation [Deleted]  10.94
    • G.  Breach of Contract [Deleted]  10.95
    • H.  Trespass to Chattels [Deleted]  10.96
    • I.  Other Claims and Defenses [Deleted]  10.97
      • 1.  Causation Issues [Deleted]  10.98
      • 2.  Damages [Deleted]  10.99
  • VII.  PROTECTING AGAINST IDENTITY THEFT  10.100
    • A.  FTC Standards for Safeguarding Customer Information  10.101
    • B.  California Business Privacy Handbook  10.102
    • C.  Incident Response Plan  10.103
    • D.  Cyberinsurance  10.104
    • E.  Third Party Contracts  10.105
      • 1.  Exercising Due Diligence in Vendor Selection  10.106
      • 2.  Key Contract Provisions  10.107
  • VIII.  CHECKLISTS AND FORMS
    • A.  Checklist: Implementing and Maintaining a Business Identity Theft Prevention Program  10.108
    • B.  Checklist: Selecting Third Party Service Providers  10.109
    • C.  Form: Model Business Letter Notifying Customer of Theft of Personal Information  10.110

11

Global Jurisdiction Over Privacy, Breach of Security, and Internet Activity Claims

Denis T. Rice

  • I.  SCOPE OF CHAPTER  11.1
  • II.  UNDERSTANDING THEORIES OF LIABILITY  11.2
    • A.  Privacy- and Security-Oriented Statutes
      • 1.  Federal [Deleted]  11.3
      • 2.  State
        • a.  Security Breach and Breach Notification [Deleted]  11.4
        • b.  Other State Statutes [Deleted]  11.5
    • B.  Copyright, Trademark, and Unfair Competition Statutes [Deleted]  11.6
    • C.  Common Law Contract and Tort Theories [Deleted]  11.7
      • 1.  Examples: Breach of Contract [Deleted]  11.8
      • 2.  Examples: Tort Actions [Deleted]  11.9
  • III.  BASIC PRINCIPLES OF JURISDICTION IN THE UNITED STATES  11.10
    • A.  Personal Jurisdiction in General  11.11
    • B.  Subject Matter Jurisdiction  11.12
    • C.  Personal Jurisdiction and the Internet  11.13
    • D.  State Long-Arm Statutes  11.14
    • E.  Federal Rules of Civil Procedure  11.15
    • F.  Constitution  11.16
  • IV.  DETERMINING WHETHER A U.S. FORUM HAS JURISDICTION OVER A DEFENDANT
    • A.  Is There General Jurisdiction?  11.17
      • 1.  Internet Activity as the Sole Basis for General Jurisdiction  11.18
      • 2.  Internet Activity Plus Other Activity as a Basis for General Jurisdiction  11.19
    • B.  Is There Specific Jurisdiction?  11.20
      • 1.  Constitutional Requirement of Minimum Contacts  11.21
        • a.  Three-Part Minimum Contacts Test  11.22
        • b.  Shifting Burdens and Reasonableness  11.23
      • 2.  Purposeful Direction and the Calder “Effects” Test  11.24
        • a.  The “Effects” Test in Federal Courts
          • (1)  The Ninth Circuit  11.25
          • (2)  “Strict Effects” and “Soft Effects” Test Jurisdictions  11.26
        • b.  The Effects Test in California  11.27
        • c.  Calder and Particular Causes of Action  11.28
      • 3.  “Purposeful Availment”  11.29
      • 4.  Internet Activity as a Basis for Specific Jurisdiction  11.30
        • a.  The Zippo Sliding Scale  11.31
          • (1)  Websites Integral to Business; Interactive Websites  11.32
          • (2)  Passive Websites  11.33
        • b.  Calder Effects Test in Internet Cases  11.34
        • c.  Auction Websites  11.35
    • C.  Foreign Defendants in United States Forums  11.36
      • 1.  Burden of Defending in United States  11.37
      • 2.  Sovereignty  11.38
      • 3.  Foreign Sovereign Immunities Act  11.39
      • 4.  Type of Claim and Test Used by Court  11.40
    • D.  Checklist: Jurisdictional Facts in Civil Action for Breach of Privacy or Security  11.41
  • V.  BASIC PRINCIPLES OF JURISDICTION UNDER INTERNATIONAL LAW  11.42
    • A.  Country’s Authority to Exercise Jurisdiction Over Nonresidents  11.43
      • 1.  Jurisdiction to Prescribe  11.44
      • 2.  Jurisdiction to Adjudicate  11.45
      • 3.  Jurisdiction to Enforce  11.46
    • B.  Choice of Law  11.47
  • VI.  JURISDICTION OVER UNITED STATES RESIDENTS UNDER LAWS OF SELECTED OTHER COUNTRIES
    • A.  European Union  11.48
      • 1.  Brussels Regulation
        • a.  Jurisdiction in Member State Where Defendant Is Domiciled  11.49
        • b.  Jurisdiction Over a Non-Domiciliary Defendant  11.50
          • (1)  Contract, Tort, and Maintenance Matters  11.51
          • (2)  Choice of Forum Agreements  11.52
          • (3)  Consumer Contracts  11.53
          • (4)  Individual Employment Contracts  11.54
          • (5)  Insurance  11.55
          • (6)  Exclusive Jurisdiction  11.56
          • (7)  Cross-Border Disputes  11.57
        • c.  Consumer Contracts Via the Internet  11.58
      • 2.  European Union Data Protection Laws and “Safe Harbor” [Deleted]  11.59
    • B.  United Kingdom  11.60
    • C.  Canada  11.61
    • D.  France  11.62
    • E.  Germany  11.63
    • F.  Italy  11.64
    • G.  Australia  11.65
    • H.  Japan  11.66
    • I.  Hong Kong  11.67
    • J.  China  11.68
  • VII.  ENFORCEMENT OF JUDGMENTS
    • A.  Sister State Judgments in the United States: Full Faith and Credit Clause  11.69
    • B.  Foreign Judgments in the United States
      • 1.  Comity  11.70
      • 2.  Uniform Foreign-Country Money Judgments Recognition Act  11.71
      • 3.  Public Policy Considerations  11.72
    • C.  United States Judgments in Foreign Countries
      • 1.  Consider Local Enforcement Requirements  11.73
        • a.  Determine Local Law  11.74
        • b.  Consider Local Enforcement Procedures  11.75
      • 2.  Selected Foreign Countries
        • a.  Canada
          • (1)  “Real and Substantial Connection” Test  11.76
          • (2)  Defenses to Enforcement  11.77
        • b.  France  11.78
        • c.  Germany  11.79
        • d.  United Kingdom  11.80
  • VIII.  PRE-DISPUTE CONSENT TO JURISDICTION OVER INTERNET TRANSACTIONS  11.81
    • A.  United States Approach to Pre-Dispute Contractual Choice of Law and Forum  11.82
      • 1.  Click-Wrap Agreements  11.83
      • 2.  Browse-Wrap Agreements  11.84
    • B.  European Union Approach to Pre-Dispute Contractual Choice of Law and Forum  11.85
    • C.  Checklist: Creating a Website Offering Goods and Services Online to Consumers  11.86

12

Class Actions, Data Breach Litigation, and Privacy Concerns Before and During Trial

James G. Snell

Sheila M. Pierce

  • I.  SCOPE OF CHAPTER  12.1
  • II.  LITIGATION IN DATA BREACH AND PRIVACY CASES
    • A.  Class Actions  12.2
      • 1.  Statutory Class Certification
        • a.  California Class Actions   12.3
        • b.   Federal Class Actions  12.4
      • 2.   Constitutional Standing Requirements  12.5
        • a.  Injury in Fact  12.6
          • (1)  Assertion of Violation of Statute  12.6A
          • (2)  Fear of Injury and Threat of Future Harm  12.6B
          • (3)  Mitigation Costs as Injury  12.6C
        • b.  Causation  12.7
      • 3.  Damages
        • a.  Pleading Damages  12.8
        • b.  Mitigation  12.9
      • 4.  Cy Pres Settlements  12.10
    • B.  Causes of Action
      • 1.  Private Rights of Action  12.11
        • a.  Under Federal Law  12.12
        • b.  Under State Law  12.13
      • 2.  Defenses  12.14
      • 3.  Common Law Causes of Action  12.15
        • a.  Negligence  12.16
        • b.  Negligent or Intentional Misrepresentation  12.17
        • c.  Invasion of Privacy  12.18
        • d.  Breach of Fiduciary Duty  12.19
        • e.  Infliction of Emotional Distress  12.20
        • f.  Defamation  12.21
        • g.  Breach of Contract  12.22
        • h.  Trespass to Chattels  12.23
        • i.  Traditional Tort Actions  12.24
        • j.  Unjust Enrichment  12.25
        • k.  Breach of Covenant of Good Faith and Fair Dealing  12.26
      • 4.  Unfair Business Practices  12.27
      • 5.  Shareholder Derivative Action  12.28
  • III.  PRIVACY CONSIDERATIONS DURING INVESTIGATIONS  12.29
    • A.  Public Records  12.30
    • B.  Specific Requests for Government Agency Information  12.31
      • 1.  Freedom of Information Act (FOIA)  12.32
        • a.  Obtaining Information Under the FOIA  12.33
        • b.  FOIA Privacy Exemptions  12.34
      • 2.  California Public Records Act (CPRA)  12.35
        • a.  Obtaining Information Under the CPRA  12.36
        • b.  Exemptions From the CPRA  12.37
          • (1)  Specific Exemption  12.38
          • (2)  “Catchall” Exemption  12.39
    • C.  Other Information  12.40
      • 1.  Personal Medical and Credit Information  12.41
      • 2.  Financial Institution Customer Information  12.42
      • 3.  Prohibitions of Deceptive Acts or Practices  12.43
      • 4.  Obtaining Phone Records Without Consent or by Fraud or Deceit  12.44
      • 5.  “Phishing”  12.45
      • 6.  Eavesdropping  12.46
      • 7.  Accessing Computers  12.47
      • 8.  Adhering to Contractual Obligations  12.48
      • 9.  Contacting Parties and Witnesses
        • a.  Represented Party  12.49
          • (1)  Actual Knowledge of Representation  12.50
          • (2)  Communications With Opposing Party’s Employees, Officers, or Directors  12.51
        • b.  Expert Witnesses  12.52
      • 10.  Government Access to Information; Sharing Information With Government  12.52A
    • D.  Document Preservation  12.53
      • 1.  Duty to Preserve Under Federal Law
        • a.  Spoliation  12.54
        • b.  Spoliation and Electronic Documents  12.55
        • c.  Preservation Orders  12.56
      • 2.  Duty to Preserve Under California Law  12.57
      • 3.  Privacy and Metadata  12.58
  • IV.  PRIVACY CONSIDERATIONS WHEN LAWSUIT IS FILED
    • A.  Protecting the Name of the Plaintiff  12.59
      • 1.  Federal Practice  12.60
      • 2.  California  12.61
    • B.  Social Security and Other Numbers  12.62
    • C.  Privacy in Electronic Court Documents  12.63
      • 1.  California  12.64
      • 2.  Federal  12.65
  • V.  PRIVACY CONSIDERATIONS WHEN RESPONDING TO DISCOVERY REQUESTS
    • A.  Producing Metadata  12.66
    • B.  Inadvertent Disclosure  12.67
    • C.  Work Product Doctrine, Specific Privileges, and Other Protections  12.68
      • 1.  Work Product Doctrine
        • a.  California  12.69
        • b.  Federal  12.70
      • 2.  Attorney-Client Privilege
        • a.  California  12.71
        • b.  Federal  12.72
      • 3.  Personal Financial Privilege
        • a.  California  12.73
        • b.  Federal  12.74
      • 4.  Marital Privileges
        • a.  California  12.75
          • (1)  Testimonial Privilege  12.76
          • (2)  Spousal Communications Privilege  12.77
        • b.  Federal  12.78
          • (1)  Adverse Spousal Testimonial Privilege  12.79
          • (2)  Marital Communications Privilege  12.80
      • 5.  Physician-Patient Privilege
        • a.  California
          • (1)  Nature of Privilege  12.81
          • (2)  Exceptions  12.82
        • b.  Federal  12.83
      • 6.  Psychotherapist-Patient Privilege
        • a.  California  12.84
        • b.  Federal  12.85
      • 7.  Clergyperson-Penitent Privilege
        • a.  California  12.86
        • b.  Federal  12.87
      • 8.  Privilege Against Self-Incrimination
      • 9.  California  12.88
      • 10.  Federal  12.89
    • D.  Sexual Assault Victim-Counselor Privilege
      • 1.  California  12.90
      • 2.  Federal  12.91
    • E.  Domestic Violence Victim-Counselor Privilege
      • 1.  California  12.92
      • 2.  Federal  12.93
    • F.  Self-Critical Analysis Privilege
      • 1.  California  12.94
      • 2.  Federal  12.95
    • G.  Official Information Privilege
      • 1.  California  12.96
      • 2.  Federal  12.97
    • H.  State Secrets Privilege  12.98
    • I.  Settlement/Mediation Privilege
      • 1.  California  12.99
      • 2.  Federal  12.100
    • J.  Trade Secrets  12.101
      • 1.  California  12.102
      • 2.  Federal  12.103
    • K.  Voter Privilege  12.104
    • L.  Common Interest Privilege or Joint Defense Privilege
      • 1.  California  12.105
      • 2.  Federal  12.106
    • M.  Free Speech Privileges
      • 1.  Free Association  12.107
      • 2.  Anonymous Speech  12.108
      • 3.  Journalist’s Privilege
        • a.  Federal Law  12.109
        • b.  California Law  12.110
    • N.  Traditional Privacy Rights  12.111
      • 1.  California Constitution  12.112
      • 2.  Federal Privacy Act of 1974  12.113
      • 3.  Personal Financial Information Privacy  12.114
      • 4.  Consumer and Employment Records Subpoenas  12.115
      • 5.  Consumer Records Subpoenas in Class Actions  12.116
      • 6.  Overbroad Subpoenas  12.117
    • O.  Discovery in Specific Types of Cases
      • 1.  Marital Dissolution  12.118
      • 2.  Sexual Harassment Lawsuits  12.119
    • P.  Discovery When One Party Is a Corporation  12.120
    • Q.  International Considerations  12.121
  • VI.  MOTIONS TO SEAL  12.122
    • A.  Federal Court Motions to Seal
      • 1.  General Principles  12.123
      • 2.  Local Court Rules  12.124
    • B.  California Court Motions to Seal  12.125
      • 1.  Procedure  12.126
      • 2.  Cases Concerning Interest to Seal Versus Public’s Right to Access  12.127
  • VII.  PRIVACY AT TRIAL  12.128
    • A.  Gag Orders  12.129
    • B.  Privilege Against Self-Incrimination  12.130
    • C.  Media Access to Courtroom  12.131
    • D.  Sixth Amendment Right to Confront Witnesses  12.132
    • E.  Request for Private Trial  12.133

PRIVACY COMPLIANCE AND LITIGATION IN CALIFORNIA

(1st Edition)

September 2018

TABLE OF CONTENTS

 

File Name

Book Section

Title

CH03

Chapter 3

Information Security and Security Breach

03-049B

§3.49B

Model Security Breach Notification

CH04

Chapter 4

Internet and Electronic Privacy

04-026

§4.26

Website Privacy Policy

04-034

§4.34

Checklist: Steps for California Businesses to Meet Obligation to Protect Personal Customer Information

CH05

Chapter 5

Marketing and Sales Regulation

05-018

§5.18

Sample Children’s Website Privacy Policy

05-029

§5.29

Checklist: COPPA Compliance

05-045

§5.45

Opt-Out Notice

05-091

§5.91

Sample Information-Sharing Disclosure Statement; Nonaffiliated Entities

05-093

§5.93

Sample Information-Sharing Disclosure Statement; Affiliated Entities

CH06

Chapter 6

Financial Data Privacy

06-064

§6.64

Checklist: PCI DSS Requirements

CH07

Chapter 7

Health Information Privacy

07-088

§7.88

Authorization for the Use and/or Disclosure of Protected Health Information

07-109A

§7.109A

Sample Business Associate Agreement

CH08

Chapter 8

Workplace Privacy

08-073

§8.73

Sample Electronic Information Systems Policy

CH10

Chapter 10

Identity Theft

10-108

§10.108

Checklist: Implementing and Maintaining a Business Identity Theft Prevention Program

10-109

§10.109

Checklist: Selecting Third Party Service Providers

10-110

§10.110

Model Business Letter Notifying Customer of Theft of Personal Information

CH11

Chapter 11

Global Jurisdiction Over Privacy, Breach of Security, and Internet Activity Claims

11-041

§11.41

Checklist: Jurisdictional Facts in Civil Action for Breach of Privacy or Security

11-086

§11.86

Checklist: Creating a Website Offering Goods and Services Online to Consumers

 

Selected Developments

September 2018 Update

As of March 28, 2018, when Alabama enacted its own data breach notification law, all the states now have such laws. See §1.2.

California enacted the California Consumer Privacy Act of 2018 (CC §§1798.100–1798.198), operative January 1, 2020, to give customers of specified businesses in California expanded control over personal information that businesses collect about them and to expand the ability to bring lawsuits for data breatch. See §§1.3, 4.11A, 12.6.

In a medical privacy case, the California Supreme Court held that the state’s interest overcomes the privacy interests of patients for whom certain drugs were prescribed. Lewis v Superior Court (2017) 3 C5th 561. See §§1.3, 7.2.

The United States Supreme Court held that, generally speaking, someone in otherwise lawful possession and control of a rental car has a Fourth Amendment reasonable expectation of privacy in it even if the rental agreement did not list him or her as an authorized driver. Byrd v U.S. (May 14, 2018, No. 16–1371) 2018 US Lexis 2803. See §§1.3, 2.4A.

The U.S. Supreme Court held that the government’s accessing of a defendant’s cell-site location information was a search under the Fourth Amendment requiring a warrant supported by probable cause. Furthermore, an order under 18 USC §2703(d) is insufficent to obtain the location information from a wireless carrier. Carpenter v U.S. (June 22, 2018, No. 16–402) 2018 US Lexis 3844. See §§1.3, 2.4A, 4.43, 8.70.

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was enacted on March 23, 2018, as part of the Consolidated Appropriations Act, 2018 (Pub L 115–141, 132 Stat 348). It amends the Stored Communications Act (SCA) (18 USC §§2701–2713) to establish processes and procedures for law enforcement requests for data in other countries. See §§1.4, 4.43, 12.52A.

An unanimous California Supreme Court held that the identity of various members of a statewide class did not constitute private information. Williams v Superior Court (2017) 3 C5th 531. See §§2.7, 12.116.

The Ninth Circuit Court of Appeals held that a unique IP address is not protected “personally identifiable information” under the Video Privacy Protection Act of 1988 (VPPA) (18 USC §2710). Eichenberger v ESPN (9th Cir 2017) 876 F3d 979. See §§4.9A, 12.6A.

In another Ninth Circuit case, the court rejected a challenge to a cy pres settlement fund as invalid due to potential conflicts of interest resulting from connections between Google and some of the cy pres fund recipients. Gaos v Holyoak (In re Google Referrer Header Privacy Litig.) (9th Cir 2017) 869 F3d 737, cert granted sub nom Frank v Gaos (Apr. 30, 2018) 2018 US Lexis 2658. See §4.9A.

The California Legislature amended provisions governing when a rental car company may use electronic surveillance technology to permit its use when a rental car company’s vehicle is the subject of an AMBER Alert. Stats 2017, ch 163. See §4.11.

The U.S. District Court for the Northern District of California granted a motion for summary judgment and permanently enjoined the State of California from enforcing CC §1798.83.5 on the grounds that it violates the First Amendment. IMDb.com, Inc. v Becerra (ND Cal, Feb. 20, 2018, No. 16-cv-06535-VC) 2018 US Dist Lexis 27898. See §4.12.

The Ninth Circuit affirmed the conviction of a company IT manager under the Computer Fraud and Abuse Act (CFAA) (18 USC §1030) when he had taken several actions designed to damage the company’s computer network, even though he argued on appeal that because he had authority over the network as part of his job he did not exceed his authority to access the system as required for a conviction under the CFAA. U.S. v Thomas (5th Cir 2017) 871 F3d 591. See §4.21.

In October 2017, the U.S. Department of Justice revised its policy regarding the use of so-called gag orders for subpoenas and search warrants issued pursuant to the Stored Communications Act (SCA) (18 USC §§2701–2713) to permit service providers to alert users when their data has been provided to the government. See §4.43.

The U.S. District Court for the Northern District of California dismissed a plaintiffs’ cause of action under Bus & P C §17529.5 against a defendant who allegedly sent the plaintiff 1300 false or misleading commercial e-mails on the grounds that §17529.5 only prohibits advertisers (but not senders) from engaging in these practices and the the sender of the e-mails involved did not advertise in the e-mails. Blanchard v Fluent, Inc. (ND Cal, Sept. 22, 2017, No. 17-CV-04497-MMC) 2017 US Dist Lexis 155535. See §5.52.

Regulations governing the federal Telephone Consumer Protection Act (TCPA) (47 USC §227), which are at 47 CFR §64.1200, were amended on January 12, 2018, to allow voice service providers to block certain calls. 83 Fed Reg 1577 (Jan. 12, 2018). See §5.55.

In February 2018, the SEC adopted “interpretive guidance” to assist public companies on disclosing cybersecurity risks and incidents. 83 Fed Reg 8166 (Feb. 26, 2018). See §6.2.

Allegations that the defendant published a consumer credit report that falsely stated the plaintiff’s age, marital status, wealth, education level, and profession, which prevented plaintiff from finding employment, were sufficiently concrete to establish US Const art III standing. Robins v Spokeo, Inc. (9th Cir 2017) 867 F3d 1108 (Spokeo III). See §§6.29, 12.6A.

The Bureau of Real Estate has no mandatory duty to remove evidence of previous criminal convictions of a real estate salesperson from its website. See Skulason v California Bureau of Real Estate (2017) 14 CA5th 562. See §8.14.

To be an actionable offense, an employer illegally recording or eavesdropping on employee phone calls must be acting intentionally. Rojas v HSBC Card Servs. (2017) 20 CA5th 427. See §8.65.

The California Code of Regulations was amended to permit employees to perform job duties that correspond to their gender identity or gender expression. 2 Cal Code Regs 11031(e). See §8.84.

Effective January 1, 2018, the Immigrant Worker Protection Act imposes various prohibitions and requirements on private and public employers regarding employment eligibility verification forms and workplace inspections by immigration enforcement agents. A new section has been added in chap 8 discussing the Act. Stats 2017, ch 492. See §8.98A.

The Social Security Number Fraud Prevention Act of 2017 (Pub L 115–59, 131 Stat 1152) amends the Social Security Act to require federal agencies to issue regulations specifying when inclusion of a Social Security number on a document sent by mail is necessary. See §10.45A.

A federal district court in New York held that a plaintiff was entitled to insurance coverage for an e-mail–based “spoofing” fraud that resulted in the company transferring over $4.7 million to the spoofer. Medidata Solutions v Federal Ins. Co. (SDNY 2017) 268 F Supp 3d 471. See §10.104.

A violation of the Fair Credit Reporting Act (FCRA) (15 USC §§1681–1681x) gives rise to an injury sufficient for US const art III standing even without evidence that the plaintiffs’ information was used improperly. In re Horizon Healthcare Servs. Data Breach Litig. (3d Cir 2017) 846 F3d 625. However, although a plaintiff received a credit card receipt displaying the card’s full expiration date, his mere allegation of violation of FCRA was insufficient to confer art III standing. Bassett v ABM Parking Servs., Inc. (9th Cir 2018) 883 F3d 776. See §12.6A.

Law enforcement training manuals need not be linked to enforcement of a more specific statute to be exempt from disclosure under the exemption of 5 USC §552 for materials compiled for law enforcement purposes. ACLU of N. Cal. v FBI (9th Cir 2017) 881 F3d 776. See §§12.34, 12.38.

The California Legislature amended CC §1708.85 to provide more protections throughout the proceedings for plaintiffs suing for relief from “revenge porn” and using pseudonyms to protect their identities from the public. Stats 2017, ch 233. See §12.61.

A California state court held that the psychotherapist-patient privilege does not prevent disclosure of a patient’s records to the state. Cross v Superior Court (2017) 11 CA5th 305. See §12.84.

A California appellate court found that Yelp could be compelled to produce documents that might reveal the identity of a reviewer who posted on its website because the plaintiff had demonstrate a sufficient prima facie case of defamation. Yelp, Inc. v Superior Court (2017) 17 CA5th 1. See §12.108.

In an issue of first impression, the Sixth Circuit developed a test for whether and under what circumstances a court can properly protect the identity of an anonymous online speaker after entry of judgment against him or her. Signature Mgmt. Team, LLC v Does (6th Cir 2017) 876 F3d 831. See §12.108.

About the Authors

JONATHAN D. AVILA is Vice President, Chief Privacy Officer of Wal-Mart Stores, Inc., where he supervises data privacy law counseling and compliance for the domestic and international operations of Walmart Stores. He was formerly Vice President—Chief Privacy Officer of the Walt Disney Company. Before joining Disney, he was General Counsel and Chief Privacy Officer of Mvalue.com, Inc., and also served as Litigation Counsel to CBS Broadcasting, Inc., where he represented CBS in privacy litigation. Mr. Avila is a past President of the International Association of Privacy Professionals (IAPP) and was a member of the Advisory Group to the California Office of Privacy Protection with respect to its Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements (SB 27). Mr. Avila received a B.A. degree from Yale University (cum laude) and a J.D. degree from Harvard Law School as well as a diploma from the University of Salamanca (Spain). He is a coauthor of chapter 5 (Marketing and Sales Regulation).

MATTHEW J. COONEY is Senior Counsel at California State Automobile Association of Northern California, Nevada, and Utah, where he leads the technology and procurement practice areas. Mr. Cooney is an active member of the San Francisco Bar Association and the State Bar of California, where he is also a member of the Cyberspace Law Committee of the Business Law Section. He received a B.S. degree from the University of California, Berkeley, and a J.D. degree from Golden Gate University School of Law (cum laude). Mr. Cooney is a coauthor of chapter 10 (Identity Theft).

FRANÇOISE GILBERT is a shareholder at Greenberg Traurig, LLP, East Palo Alto. Her practice focuses on privacy and cybersecurity in a variety of contexts such as big data, Internet of things, artificial intelligence, wearables, autonomous vehicles, smart cities, and robots. She advises clients on developing and implementing information privacy and security strategies, data protection by design, and compliance programs at the domestic and global levels. She holds CIPP/US, CIPP/EU, and CIPM certifications from the International Association of Privacy Professionals. In 2014, Ms. Gilbert was named San Francisco Lawyer of the Year in the area of Information Technology by Best Lawyers Magazine. Her work in the information privacy and cybersecurity areas has been consistently recommended by Chambers Global (2009–present), Best Lawyers in America (2008–present) and Who’s Who in Internet, ECommerce and Telecommunication Laws (1998–present). She is the author of Global Privacy and Security Law (2009–present, Aspen Publishers/Wolters Kluwer Law and Business). Ms. Gilbert holds undergraduate and graduate degrees in mathematics from the Universities of Paris and Montpellier (France) and J.D. degrees from the University of Paris (France) and Loyola University School of Law in Chicago, Illinois. She is the author of chapter 3 (Information Security and Security Breach) and chapter 9 (International Personal Data Protection and Transborder Transfers).

ROBERT V. HALE II is in-house counsel at Apollo Group, Inc., where he handles consumer, transactional, and regulatory matters. Before joining Apollo in 2010, he served as Vice President and Senior Counsel at HSBC North America, and in similar roles at other financial institutions. He is the author of Wi-Fi Access and Operation Liability, published in The SciTech Lawyer. Mr. Hale serves as an Advisor to the Financial Institutions Committee and the Cyberspace Committee of the Business Law Section of the State Bar of California. He is Executive Managing Editor of the Journal of Internet Law (Aspen Publishers). Mr. Hale received his B.A. degree from Sarah Lawrence College and his J.D. degree from the University of San Francisco School of Law. He is a coauthor of chapter 10.

CATHERINE D. MEYER is Counsel with Pillsbury Winthrop Shaw Pittman LLP. She was a partner with the firm for 20 years, practicing in the areas of finance and privacy regulation and compliance. Ms. Meyer advises financial institutions and other companies on privacy, including rights to financial privacy and protection of customers’ privacy rights under state, federal, and international statutes and regulations. She regularly counsels commercial clients on compliance with regulations affecting the collection, use, sale, transfer, and sharing of customer and employee information on a local to global scale. She assists with marketing issues, such as unsolicited commercial e-mail, fax, and telephone communications, marketing to children, and issues specific to credit card and check transactions and data security breaches. She has served as co-chair of the Business Department of the Los Angeles Office and of the firm-wide Privacy and Data Protection Practice Team. Ms. Meyer is a frequent speaker and writer on data protection and privacy issues, and sits on the Board of Editors of the Privacy & Data Security Law Journal and the Privacy & Data Security Review. Ms. Meyer received an A.B. degree from Bryn Mawr College and a J.D. degree from Northwestern University School of Law. She is a coauthor of chapter 5 (Marketing and Sales Regulation).

DENISE OLRICH, of the Law Office of Denise Olrich, is a business attorney specializing in the legal needs of the entrepreneur, including e-commerce, privacy and cyberlaw matters, intellectual property matters, trademark registration, business formation, corporations and partnerships, business transactions, bankruptcy and bankruptcy litigation, as well as business litigation in the state courts. Ms. Olrich regularly lectures to attorneys, business groups, and students regarding business and cyberspace law matters. She served on the committee that drafted California’s new revised limited partnership law. She is an Advisor to the Executive Committee of the Business Law Section of the State Bar of California and has chaired the Cyberspace Law Committee, as well as the Partnerships and Limited Liability Companies Committee of the Business Law Section. Ms. Olrich received a B.A. degree from Michigan State University and a J.D. degree from Thomas M. Cooley Law School in Lansing, Michigan. She is the author of chapter 4 (Internet and Electronic Privacy).

SHEILA M. PIERCE is an associate in the Silicon Valley office of Bingham McCutchen LLP, where she represents clients on issues such as breach of contract, patent infringement, securities violations, privacy matters, civil rights matters, and product liability. She has also advised clients on issues related to Internet privacy and data security laws. Ms. Pierce has a J.D. degree from the University of San Francisco School of Law and a B.A. degree from San Francisco State University (summa cum laude). She is a coauthor of chapter 12 (Privacy Before and During Litigation).

DENIS T. RICE, of Arnold & Porter, LLP, San Francisco, practices in a broad range of areas, including corporate and securities matters, and Internet and e-commerce law. Mr. Rice was a founding director of Howard Rice Nemerovski Canady Falk & Rabkin PC. He is chair of the Committee on Developments in Business Financing of the American Bar Association and a Board Member of the International Technology Law Association. He has litigated complex cases, including class actions, in state and federal courts involving securities fraud, fiduciary duties, corporate governance, antitrust, trademarks, and trade secrets. Mr. Rice has lectured on information technology, privacy, securities, electronic commerce, and litigation in cities around the world. He serves as a panel arbitrator and mediator for both the American Arbitration Association and the World Intellectual Property Organization. Mr. Rice holds an undergraduate degree from Princeton University, Woodrow Wilson School of Public and International Affairs (Phi Beta Kappa), and a law degree from the University of Michigan Law School (Order of the Coif; Associate Editor, Michigan Law Review). He is the author of chapters 1 (Challenges of Privacy Compliance and Litigation) and 11 (Global Jurisdiction Over Privacy, Breach of Security, and Internet Activity Claims).

PAUL T. SMITH is a partner with Hooper, Lundy & Bookman, PC, San Francisco, where he advises clients in health care and other industries on corporate formation and governance, joint ventures, financing, reimbursement, and regulatory compliance, and also represents technology companies in transaction, financing, and licensing matters, and data privacy and security. Mr. Smith has practiced in the U.S. health care industry since 1982, representing hospitals, hospital associations, medical groups, and provider network organizations. He has been named as one of “America’s Leading Lawyers for business” in health care by Chambers USA, 2005–2010, and was selected to the “Northern California Super Lawyers” in health care law and business/corporate law in 2010. He has spoken on health-care-related topics at numerous conferences, including the American Bar Association, the California Society of Healthcare Attorneys, the IBM/Modern Healthcare National HIPAA Conferences, and the HIPAA Summits. He holds B.A. and LL.B. (cum laude) degrees from the University of Natal School of Law (South Africa). Mr. Smith is the author of chapter 7 (Health Information Privacy).

JAMES G. SNELL is a partner in the Silicon Valley office of Bingham McCutchen LLP, where he is co-chair of the firm’s Privacy and Security Group and former co-chair of the firm’s Intellectual Property Group. He has particular experience in privacy, Internet, and marketing issues, and represents clients in a broad range of complex commercial matters, including Internet, privacy, and trade secret matters, false advertising, and class actions. Mr. Snell is a frequent speaker at bar association and firm events and in-house seminars regarding electronic discovery issues, patent litigation, unfair competition, trade secret law, electronic communications and privacy, among other topics. He was recognized as a Northern California “Super Lawyer” by Law & Politics and San Francisco magazine in 2005. He has a J.D. degree from the University of California, Hastings College of the Law, and a B.A. degree from the University of California, Santa Barbara. Mr. Snell is a coauthor of chapter 12 (Privacy Before and During Litigation).

RONALD J. SOUZA is a partner in the law firm of Lynch, Gilardi & Grummer PC, in San Francisco, where he practices in the area of labor and employment litigation. He has been an employment law specialist for the last 15 years. A frequent presenter, speaker, and panelist, Mr. Souza regularly addresses professional groups and corporate executives on employment-related topics, including employment privacy, sexual harassment, and employment litigation practices. Mr. Souza is a member of the American Board of Trial Advocates (ABOTA). He also serves as Judge pro tem for the San Francisco Superior Court. He is a founding member of a chapter of the American Inns of Court, an organization of lawyers and judges dedicated to civility and ethics in law practice. Mr. Souza graduated with academic and athletic honors from Washington State University in 1969 and earned his J.D. (cum laude) degree from Santa Clara University School of Law in 1974. He is the author of chapter 8 (Workplace Privacy).

ROY G. WEATHERUP is a partner of Lewis Brisbois Bisgaard & Smith LLP, where he heads the Appellate Practice Group in the firm’s Los Angeles office. He specializes in appellate practice, about which he has lectured extensively. Mr. Weatherup is a member of the California Academy of Appellate Lawyers and the committee that produces the Book of Approved Jury Instructions (BAJI). He has been responsible for more than 1200 appellate briefs in over 800 cases, resulting in about 200 published opinions. He holds a law degree from Stanford University School of Law and an undergraduate degree from Stanford University. He is the author of chapter 2 (Common Law and Constitutional Privacy Protection).

OnLAW System Requirements:
Desktop: Windows XP, 7 or 8, Mac OS 10.8
Mobile: iOS6, iOS7, Android 4.2
Firefox, Chrome, IE and Safari browsers

Note: OnLAW may work with some devices running older versions of these Operating Systems or Windows RT; however, functionality is not guaranteed.

Please see FAQs for more details.
Products specifications
PRODUCT GROUP Publication
PRACTICE AREA Business Law
Products specifications
PRODUCT GROUP Publication
PRACTICE AREA Business Law