Sign Up
Stay current with GH&R Newsletters. Click here to sign up.
E-Commerce News
No Federal Protection For Subscriber Information; Ohio Bill Guards Private Data
October 11, 2005
NO FEDERAL PROTECTION FOR SUBSCRIBER INFORMATION
An Internet service provider may disclose subscriber information in its possession without violating the affected customer's right to privacy under the Fourth Amendment, according to a federal district court in Connecticut.
Based on its finding, the district court dismissed the AOL subscriber's Fourth Amendment claim against several city officials who obtained account information from AOL by using an unsigned search warrant. But, because the state constitution could afford broader protection than the United States constitution, the court asked the Connecticut Supreme Court to determine if the subscriber's information could be protected under that state's constitution.
The AOL subscriber filed his complaint against his township and two of its police officers. He alleged that the police officers violated his right to privacy, as well as his First Amendment right to anonymous speech, by obtaining his subscriber information from AOL using a warrant that was unsigned by a judge.
The court denied the Fourth Amendment claim, however, because it found that the subscriber had no objectively reasonable expectation of privacy in the information. The court felt that the subscriber agreement, which expressly permitted AOL to reveal Plaintiff's subscriber information when necessary, diminished the subscriber's privacy expectation.
The federal court acknowledged that the Connecticut constitution could offer broader privacy protections. According to the federal court, "[T]he Connecticut Supreme Court has, on a number of occasions, held that Article First, §7 of the constitution of Connecticut provides an individual with more protection than under the federal Fourth Amendment". But, because no Connecticut state court had considered the question, the federal court certified the question to the Connecticut Supreme Court.
OHIO BILL GUARDS PRIVATE DATA
On August 2, the Ohio House unanimously passed a bill that mandates that any Ohioan whose personal information is compromised by a computer database breach be notified under a bill. It is expected that the State Senate will pass the bill as well.
Under the bill, any state or local agency, including the offices of elected officials, or businesses operating in Ohio that maintain computer records of personal information, would be required to notify individuals within 45 days of the discovery of any breach that "causes or reasonably is believed to cause injury or loss to the person or property of a resident."
The bill would also require a business or person maintaining computerized data on behalf of another to notify affected parties of a security breach. A law enforcement agency could delay notification, however, if the agency decided that notification might impede a criminal investigation.
Under the bill, "personal information," includes an individual's first name or first initial and last name in combination with any other data element, including Social Security number, driver's license or state identification card number, and financial account, credit card, or debit card number with access codes.
The bill would permit notice in writing or by e-mail or telephone. The bill would also allow notice to be given via e-mail when addresses are known, in addition to, posting a notice on the covered entity's Web site and in statewide media. Unlike other state privacy laws, which permit Web and media announcements as a form of substitute notice only if notice by other allowable means would be very expensive or involve notice to a large number of individuals, the Ohio bill allows for notice via e-mail, a Web posting, or through the statewide media regardless of the circumstances.
The House bill provides covered entities that maintain their own breach notification procedures consistent with the state law having a safe harbor from the bill's notification requirements. Entities already covered by federal law breach notification requirements are exempt from the state law.
Agencies or businesses failing to follow the bill's breach notification requirements could be investigated by Ohio's Attorney General, who would be authorized to bring a civil action that could result in penalties of up to $1,000 for each day of non-compliance. Any civil penalties would fund expenses incurred by the Consumer Protection Section of the Attorney General's office.
Graydon Head & Ritchey Enhances Client Service with Launch of New Web Site!
Graydon Head & Ritchey has locations across the Greater Cincinnati region.
Downtown Cincinnati
1900 Fifth Third Center
511 Walnut St.
Cincinnati, OH 45202
p: (513) 621-6464
f: (513) 651-3836
Northern Kentucky
2500 Chamber Center Dr.
Suite 300
P.O. Box 17070
Ft. Mitchell, KY 41017
p: (859) 282-8800
f: (859) 525-0214
Coming Soon!
Northern Cincinnati Office
If you have questions about any of the above information, please contact Jack Greiner at 513-629-2734 or jgreiner@graydon.com.
This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.