• allows OnStar to continue collecting information from its links even after a customer cancels service, unless the customer specifically requests OnStar not to; and
• removes language that said that OnStar would not share customer data with third-party marketers without explicit customer consent.

Changes to privacy polices aren’t usually notable. But I think there are some interesting things going on here.

First, although it has been claimed that the new policy allows OnStar to share anonymized information, including GPS (speed and location) information, that does not appear to be a recent addition. The current privacy policy already allows OnStar to “share or sell any anonymized data (including location, speed, and safety belt usage) with third parties for any purpose.” That conflicts to some extent with the language claiming that OnStar would not sell information to third-party marketers without consent, so perhaps the removal of that language allows OnStar to share the data with marketers. On the other hand, that limiting language does not appear in the actual policy, only in the summary information at the top of the “Our Privacy Practices” page. Because it’s unclear what the old policy allowed, it’s hard to tell what the new policy added.

Second, the change highlights how much people read into privacy policies. For example, CNET suggests that language allowing OnStar to transfer data in the event that part of its business is spun off (so that the new business has the data) could be read as indicating plans to spin off part of the business. I’m not even sure if that language was new (I can’t find a copy of the 2010 policy to compare it to).

Finally, GPS data is really sensitive, and people are justifiably worried about tracking—in the literal sense. Thus, any policy change that seems to allow greater use of that information, even if intended to clarify existing practice, is going to set off alarms.

Personally, I think the biggest area of concern in OnStar’s privacy policy is that it doesn’t really define how data is “anonymized.” There are at least two possibilities. “Anonymizing” could mean removing traditional personal information (name, address, VIN, etc.) from GPS data, but leaving other information intact, such as the information needed to track a vehicle’s movements from place to place. That wouldn’t be much protection, because if you can watch a car go to a house and park there overnight every night, you have a pretty good idea who that car belongs to. The better approach would be to “anonymize” the data so that not only is the car not directly associated with a person, but so that any individual car’s movements cannot be tracked. Thus, I don’t think is true, as has been suggested, that it is impossible to anonymize GPS data. But it has to be done right, and the new privacy policy doesn’t indicate whether OnStar will do it right.

Well, yes. If you’re using “12345678″ as the password for your online banking account, perhaps you should reconsider that choice. And if your online banking account has the same password as your account for a message board, we should have a serious chat. But not all accounts are created equal, and no human can remember separate passwords for every single site that demands account registration—nor should they have to. Password vaults and Bruce Schneier’s idea of writing down important passwords and putting them in your wallet, while useful, have practical limits. Does anyone really want to look up every single password? And I can’t fit a phone book in my wallet.

The answer, in my opinion, is to know which passwords are important and which are not. Here’s my own personal hierarchy of password importance:

1. Passwords for sites that want you to create an account for their convenience, not yours.
For example, if a news site wants readers to create accounts solely to track what they’re doing, and that account does not carry any special privileges (commenting on posts under a name, or being able to buy things), the account is for the site’s convenience, not the user’s, and there’s no reason a user should choose a particularly secure password. E-commerce sites that require people to create accounts before they can buy anything fall into this category if the customer can either be sure that the site won’t store payment information (good luck with that) or the customer has a “disposable” payment mechanism available.

When I’m shopping online and run into a store that won’t let me buy something from them without creating an account, I generate a unique e-mail address, generate a unique credit card number that can only be used by that merchant, buy whatever I need, then forget that the account ever existed. If the account is hacked, the hacker gets an e-mail address I never use (and can easily turn off) and a credit card number that’s no good to anyone but the merchant who first placed a charged on it. I can even set the charge limit on that temporary credit card number near the amount of what I’m buying. For that sort of account, I could easily use the password “Password” and lose nothing.

2. Passwords for message boards.
These passwords prevent anyone else from impersonating me on the message board. I generally use the same password on all these sites. If someone pretends to be me on GeekyLawChat.com (name available for registration!), well, that’s annoying, and the fact that I use the same password on NerdsOfTheLaw.net (also available!) means they could pretend to be me there, too. The worst-case scenario is that I might have an interesting time defending a defamation charge. When the alternative is to remember umpteen relatively unimportant passwords (or spend less time on Internet message boards—some of which require registration just to search the message boards), I’ll take the risk.

3. Accounts where money is at stake.
Bank accounts. Amazon (and the like), where you use the account regularly. To some extent, iTunes. If someone guessing your password means they can spend your money (or make it hard for you to get at your money), use a good password. Use a really good password. But where you want to use an ever better password is for…

4. E-mail.
Wait—an e-mail password is more important than the password for your online banking account? Maybe so. Think about how many web sites think that control of your e-mail account means you are who you say you are. Think of the number of sites with “e-mail me my password” links. Think of the number of passwords you probably have sitting in your e-mail right now. Having hackers drain your bank account would be very, very bad, but there’s a chance you could get that money back. Try proving you’re who you are on the Internet when someone else has control of your e-mail. And that’s not even getting to the content of the e-mails in your account. Ask Sarah Palin how annoying that can be.

In the case of Gawker, I might rather have had a “password” password than something real. A real password might have been used on an account I care about. “Password” is the next best thing to no password at all, and sometimes that’s just about the right level of security. “Password” is a perfectly fine password for an account you don’t care about.

Greene’s primary opponent, Vic Rawl, has now publicly pointed a finger at the voting machines (by the way, if Alvin Greene got the Al Green votes, why didn’t Vic Rawl get the Lou Rawls votes? Someone needs to investigate this soul singer gap). Columbia’s WTLX.com quotes Rawl as saying, “It appears to me that we have some sort of either machine malfunction or software malfunction.” Rawls also said he had no idea whether the malfunction was accidental or intentional. South Carolina’s election commission responded that it was “confident in the accuracy and reliability” of the voting machines.

It’s hard to know if that confidence is well-placed, however. South Carolina uses ES&S iVotronic voting machines, which have a history of accuracy and reliability issues. Newer versions support voter-verified paper audit trail, but it’s unclear whether South Carolina uses that feature. The elections commission said that every vote was recorded and left a paper trail, but its web page describing the process of voting with the machines says nothing about the voter verifying his or her vote against a paper record. The “paper trail” the commission talks about could be a paper record of every vote that was cast, verified by each voter; or it could be summary totals. It’s hard to tell from news reports.

If there is a good, voter-verified paper trail, machine malfunction (or tampering) is relatively easy to detect and correct. Just count the paper ballots. If there is no paper trail, or if the “paper trail” is merely a set of summary statistics, it’s impossible to know if the result is accurate.

Minnesota is one of twenty-two states that require voter-verifiable paper ballots. South Carolina is not. Minnesota law requires more than just a paper trail, however. By statute, all voting systems purchased after 2005 must be paper-based. According to that statute, voting machines must either scan marked paper ballots, or assist voters in marking those paper ballots.

If the Greene-Rawl primary had been held in Minnesota, the voting machines could quickly be eliminated as a source of the unexpected result. As it is, it may be impossible to know if Mr. Greene’s primary victory was influenced by voting machine irregularities.

The FTC charged that ControlScan had “misled consumers about how often it monitored the sites and the steps it took to verify their privacy and security practices.” Although the seals claimed that ControlScan had verified the site’s privacy practices, ControlScan did “little or no verification” of those practices, according to the FTC. The FTC also took issue with the fact that the seals had current date stamps even though ControlScan did no daily reviews.

The settlement agreement required ControlScan’s former CEO to give up $102,000 in profits. It also suspended a $750,000 penalty against the company for inability to pay.

It’s uncertain whether privacy or security seals mean much. Even when providers scan daily, how much assurance can one expect for $71.50 per month? McAfee, the big player in the market after it bought (and renamed) the “HackerSafe” seal, had its own bit of bad press a couple of years ago when it turned out that several “Hacker Safe” sites were vulnerable to cross-site scripting attacks.

Even though ControlScan appears to have been in a different category than legitimate privacy seal vendors, the FTC settlement highlights a classic reputation problem with these seals. The seals look like they mean something, but the only way to know for sure is to check the seal provider’s practices—which undermines the point of the badge in the first place.

This should be an interesting case to watch. For a discussion of how this case might affect privacy for government employees, see Orin Kerr’s post over at the Volokh Conspiracy.

The Court is deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents. Although electronic filing significantly improves the efficiency and accessibility of our court system, it also elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to follow federal and local rules.

For example, suppose an employee has access to an employer’s computers for regular business purposes, but e-mails confidential data to an outside account. Later, he leaves the company and uses that confidential data to set up a competing business. Did the employee access that confidential data without authorization? The simple answer would be “no”: he had an account, he was allowed to use it, that permission had not been revoked, so any access was authorized.

The Ninth Circuit Court of Appeals recently adopted essentially this definition. LVRC Holdings, LLC v. Brekka said that such conduct is not unauthorized for purposes of the CFAA. The court looked at the language of the statute and a dictionary, and held that an employee has authorization to access a computer when the employer has given permission to use it. Because Brekka’s permission to use the computer had not been revoked when he accessed and mailed data to an outside account, the court held that his access was not unauthorized.

The Ninth Circuit rejected the agency-law analysis from a 2006 Seventh Circuit decision, International Airport Centers, LLC v. Citrin. That case had held that an employee’s authorization to access a computer ended the moment he breached his duty of loyalty to his employer—in that case, by wiping data from a laptop to hide evidence of misconduct. But in LVRC, the Ninth Circuit stuck to the text of the CFAA, noting that the CFAA is a criminal statute and should be interpreted in favor of lenience. Because the Ninth Circuit could find no agency law principles in the text of the CFAA, it held that a person uses a computer without authorization “when the person has not received permission to use the computer for any purpose . . . or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.”

An aspect of this case that might be of interest to employers is that Brekka did not have a written employment agreement and LVRC had no policies against e-mailing documents to outside accounts. Such a policy would presumably have made Brekka’s actions unauthorized. But it’s hard to write policies that cover every single thing an employee is not allowed to do. If a company wrote a policy that “employees are only authorized to use company computers to the extent that such use is consistent with company interests,” would that create the Seventh Circuit agency-law definition of unauthorized access? It seems like it might, but, as always, This Is Not Legal Advice.

The law is in Minnesota Statutes section 609.8911, which was added in 1994. It reads:

A person who has reason to believe that any provision of section 609.88, 609.89, or 609.891 is being or has been violated shall report the suspected violation to the prosecuting authority in the county in which all or part of the suspected violation occurred. A person who makes a report under this section is immune from any criminal or civil liability that otherwise might result from the person’s action, if the person is acting in good faith.

Chapter 609 is Minnesota’s criminal code, and sections 609.88, 609.89, and 609.891 are Minnesota’s computer crime statutes. Section 609.8911 therefore says that anyone who “has reason to believe” that any successful or attempted unauthorized computer access, damage, or theft has taken place must notify the county prosecutor.

Note what the statute does not say:

• It’s not limited to data an organization “owns or licenses,” as section 325E.61 is for data breach notification.

• It does not limit the reporting duty to situations where there’s a reasonable chance that the data was obtained by a third party. Because Minnesota’s computer crime statute outlaws attempted acts of computer crime, it seems to be irrelevant whether the attempted computer theft, damage, or unauthorized access was successful.
• It’s not even limited to data the organization handles—the language of the statute would seem to require telling the county attorney that someone else was hacked.

That’s broad. For example, a literal reading of the statute’s language would require calling the county prosecutor every time a virus scanner finds a virus. A virus either accesses a computer without authorization or damages it. As soon as the virus scanner alerts the user to the the presence of the virus, that user has reason to know that someone committed a computer crime. Does it matter that the user doesn’t know who committed the crime, that the county prosecutor can’t do anything with the information, or that universal compliance with the letter of the law would flood the prosecutor’s phone line with nothing but “I just got a virus” calls? Maybe in the real world, but there’s nothing in the statute to suggest that these concerns relieve anyone of the duty to report.

The statute is missing something else: penalty provisions. Any self-respecting criminal statute has two parts: (1) a list of things not to do, and (2) the penalties for doing those things. Criminal penalties can be specific, or they can just categorize the crime (as a felony, misdemeanor, etc.), but to have any force, they have to say what the cost of violating the law would be. There’s some question whether this is even a criminal statute—it’s in the criminal code, but it states an affirmative duty, not a prohibition, and it has no penalty provision. If it is a criminal statute, it’s mostly toothless.

It also appears that the statute has never been used. A search of Minnesota cases reveals no instance in which the statute was even cited, much less used to convict someone.

Becuase the statute has no penalties and has never been enforced, can you ignore it? Maybe. The stakes of doing so certainly seem low. But just try to find a lawyer who will say it’s okay to ignore any statute, even a toothless unenforced statute.

One reason to comply with the statute is that even a statute without penalty provisions can form the basis of a negligence per se claim. Negligence per se is a way for a plaintiff to use a statutory requirement to skip the usual inquiry into whether the defendant used reasonable care. There are technical requirements for negligence per se claims, but if those are met, a plaintiff’s case is made much easier. Here’s how it might work with section 609.8911:

1. A company sees an attempted attack, but doesn’t reasonably believe the attacker obtained any personal information, so does not report it.

2. The attacker, who actually did obtain data, misuses it, harming one of the data subjects.
3. The data subjects file a class-action against the company, claiming that the company was negligent in not telling them about the breach. To establish negligence, the plaintiffs point to section 609.8911, which says the company should have reported the attempted breach to the county prosecutor.

And—voila—a statute with no penalty provision has just become a problem for the company. Admittedly, that’s a stretch, and there are those “technical requirements” referred to earlier, but lawyers have advised their clients to avoid less probable risks.

The language of the statute, the lack of a penalty, and its immunity provision might make one wonder about the original purpose of the statute. It turns out that it was actually an early attempt at requiring data breach notification. In Minnesota House Judiciary Committee hearings held March 18, 1994, Rep. Phyllis Kahn, author of the original Minnesota computer crime law and the duty-to-report provision, said that her bill was an attempt to force banks and financial institutions to report computer crimes they might otherwise prefer to hide. It was “generally believed,” she said, that computer crimes were under-reported because these institutions preferred maintaining an appearance of security that could be hurt by disclosing a breach. She acknowledged that the section did not include any penalties for failing to report, but said that her bill would be a “good step forward,” and that she couldn’t imagine what a good penalty would be.

A few states have similar duties to report computer crimes, including Ohio and Utah. Georgia had a similar statute that was repealed in 1991. A handful of other states have general duties to report any crimes (or sometimes felonies), but in most states, there is no duty to report that one has seen a crime. The computer duty-to-report statutes appear to be isolated exceptions to this general rule.

Minnesota has a real data breach notification statute for a few years now. Perhaps it is time for the legislature to repeal or substantially modify section 609.8911. But until that happens, the safest course for any organization is to send the county prosecutor notice of any attempted data breach. It may seem silly (partly because, in many cases, it is), but that’s the letter of the law. With any luck, the busy prosecutor will respond with, “Thanks, but please don’t bother me again.”

The new law, S.B. 1017, makes two small changes to North Carolina’s notification requirements. First, it requires telling the state Attorney General about breaches of any size, not just those that affect more than one thousand people. Second, it requires the notifications to include contact information for the consumer reporting agencies (CRAs), the FTC, and the North Carolina Attorney General’s office.

The statute still has the same notification triggers as before: it applies to any business that “owns or licenses” personal information. The law applies to businesses that own or license data, but the statute’s definition of a “security breach” is not limited to breaches of information the business owns or licenses. It may just be a quirk of wording, but it looks like the law requires any business that owns or licenses data to notify people affected by any security breach. In fact, there’s nothing in the language saying that companies only have to disclose their own breaches:

N.C. Gen. Stat. § 75-65(a): Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. . . .

I doubt that’s the intention of the law, but there’s the language: companies that own or license data shall notify the affected person that “there has been a security breach.” So, maybe it’s a business’s duty to inform consumers that a competitor has been breached?

Also note the statute’s broad interstate reach, pulling in “any business that conducts business in North Carolina that owns or licenses personal information in any form.” It doesn’t even bother to limit the reach of the statute to businesses that own or license personal information about North Carolina residents.

The law’s big changes are to consumer credit reporting. It made quite a few changes to the state’s security freeze law. It reduced the time Consumer Reporting Agencies (CRAs) can take to initiate or remove a freeze from five days to three, gives CRAs fifteen minutes to temporarily lift a freeze once the consumer has requested a temporary lift by phone or e-mail (if the request is by mail, the CRA has three days), prohibits the CRAs from charging for placing, removing, or temporarily lifting a credit freeze unless the request was by mail (the old law allowed charging $10 per request), and requires that credit reports under a freeze say that the freeze does not reflect a negative score, history, report, or rating.

Finally, the law adds a “Credit Monitoring Services Act,” which might as well be titled the “freecreditreport.com” act. It requires anyone who provides credit monitoring or obtains a credit report on behalf of a consumer for a fee to give clear and conspicuous notice of the consumer’s right to a free credit report.

The law itself is pretty standard, at least as much as anything with fifty-five versions can be called “standard.” It requires anyone with personal information about a Missouri resident to notify the resident of a breach of security, defines “personal data” as any of the usual suspects plus a name (although, as John Bambenek points out, a name isn’t actually needed to steal money from someone’s checking account with ACH), requires the notice to be made “without unreasonable delay,” and allows safe harbors for encryption and cases where the data handler determines identity fraud is not likely. Notification can be written, by phone, or with certain electronic notice. The law allows substitute notice if personal notice would cost over $100,000, if more than 50,000 people are affected, or if there isn’t enough contact information to contact people directly. A data handler who has to notify more than one thousand people also has to alert the media, the attorney general’s office, and the credit reporting agencies. Enforcement is by the attorney general, with a civil penalty of $50,000 per breach for willful violations.

Senator Feinstein’s national data breach notification bill hasn’t emerged from committee since she introduced it in January. It’s now a bit of a race to see which happens first: a nationwide breach notification bill, or the remaining states passing their own versions.