It is a deposition question that too often surprises lawyers and corporate-witness deponents.  Upon return from a water or lunch recess, the deposing lawyer asks the witness: “So, tell me what you and your company’s lawyer discussed during the break?”  Can the deposing lawyer ask that?  Does the defending lawyer have an attorney-client privilege objection?

Recently Forbes.com published an article exposing a security flaw in common keycard hotel room locks that permitted hackers with a digital device to effortlessly trigger the opening of the locking mechanisms. This, of course, would allow the hacker to have access to the personal belongings inside the room or, worse yet, unwanted access to the guests themselves.  The “security vulnerability” was said to be present in keycard locks built by a particular lock company and specifically in a model of lock that appears in at least four million hotel rooms worldwide. There are believed to be a number of “patches” to fix the issue, which vary in cost.

Wired Magazine recently reported that seven rent-to-own companies and a software manufacturer are settling charges with the Federal Trade Commission.  The charges claimed that computers rented from the rent-to-own companies used pre-installed spyware to obtain a host of data from the users.  The settlement only requires the companies to stop using the spyware, known as “Detective Mode,” which has been installed on as many as 420,000 rental computers.  In addition to secretly turning on a computer’s webcam, the software was capable of logging keystrokes, and  taking screen shots of a user’s activity.  The software then transmitted the secretly gathered information to the manufacturer, DesignerWare, who forwarded the material on to the rent-to-own company, all without the user’s knowledge.  The settlement still allows the rent-to-own companies to employ the software so long as they notify the renters.  Further, the FTC lacks criminal jurisdiction, so the companies have yet to face any criminal charges.  However, the FTC acknowledged that criminal activity appears to have occurred in a nod to the potential for ongoing investigations. 

The computers at issue collected everything from addresses, photos and video of often compromising situations, to phone numbers, email and social media passwords and financial logins, begging the question of what type and how much information a user should feel comfortable entering on a computer they don’t own.  In the case of someone renting a computer, it can be easy to see how a user operates under the impression that they have unfettered access to the machine for the term of the rental.  Nonetheless, there are measures that such parties can take in an effort to secure their privacy.  There are free firewall programs, such as Zone Alarm and Windows Firewall, that allow users to designate and monitor every program that accesses and/or attempts to access outbound internet connections.  Had the renters correctly configured and employed such a program, they would have known that a program, by whatever name, was attempting to send information from the subject computer.  In the event that renters were unable to install or configure (in the case of pre-installed Windows Firewall) such programs, it should serve as a red flag to carefully consider the manner in which to employ a rental or loaner computer. 

Retailers providing consumers with electronics on a rent-to-own basis face many challenges in ensuring that they are paid for the electronics that they rent.  In particular, computers are small and easy to hide if a retailer seeks to repossess the computer from a non-paying customer.  The temptation to use software that allows the retailer to view where the computer is located and what the renter is doing with the computer is strong, however, the consequences of doing so can be high.  Obtaining information from the computer without the renter’s knowledge or consent not only erodes the renter’s trust and confidence in the retailer, but also opens the retailer up to possible civil and criminal liability.

Every day, we see the impact of technology on the practice of law. Blogs, social networking, electronically stored information, and other legal resources create enormous economies and unprecedented depth in our field. But with these advantages come unrecognized perils. The transparency and mobility of electronic information creates significant risks to clients, unless properly controlled. As part of the project to rein in technology in the practice of law, the American Bar Association launched an ambitious multi-year project called Ethics 20/20. One of the major goals of Ethics 20/20 was to modernize the rules of ethics and bring them into congruence with the state of technology.

As reported by InsideCounsel, the American Bar Association House of Delegates (“ABAHD”) recently approved an amended model rule stating that it is ethical for lawyers to disclose client information when trying to move from one firm to another.

Specifically, the rule states that it is ethical for an attorney in negotiations for a different job, as well as attorneys in merging firms, to disclose the identities of clients and the amount of business they generate because the information can help point out any conflicts of interest that might exist.  However, the model rule states that lawyers still should not reveal clients' financial information.

Although the model rule has been approved by the ABAHD, the rule is simply an advisory rule.  In addition, the rule provides little guidance for attorneys faced with the question of how much client information can be ethically revealed in states whose bar associations do not have rules covering this topic.  Thus, prior to revealing any information, lawyers should carefully consider and weigh this model rule against Model Rules of Professional Conduct 1.6 and 1.9.

Google recently launched a new service called Google Now that is available to users of its most current mobile operating system, Android Jelly Bean.  Google Now automatically creates and presents a series of “cards” that try to organize your life by presenting information Google thinks you’ll need at a given moment.  The information presented via the cards is based on data Google collects based on how you use various Google services - such as Google searches and Gmail.  For example, a recent Tech Crunch article notes that the cards may present you with information relevant to your current location, such as nearby restaurants, weather, schedules for nearby mass transit or how long it will take you to drive home from your given location.  Similarly, the cards may present you with flight schedules and currency exchange rates if you’re in a foreign country.  The first time you click on the Google search box within Jelly Bean, Google pops up an introductory screen to provide more information about Google Now.  Users can then explore the topic further.  To use Now, users must explicitly opt in.

Once a user opts in, Google collects and aggregates even more information about you on a daily basis: accessing your email, your calendar, your contacts, your text messages, your location, your shopping habits, your payment history, as well as your choices in music, movies and books.  In other words, what Google Now does is simply take the new, unified privacy policy you had to opt into a short time ago and regurgitates that information to you in what it considers to be useful ways.  When Google first introduced its new privacy policy, at the beginning of this year, more than 30 U.S. state attorneys general protested.  Now, by opting in to this program, users are providing even more information to Google, including the GPS coordinates for their home.  Nonetheless, there has not been a great deal of attention placed on Google Now or its accompanying privacy implications. Although users may appreciate the convenience of the features that are transparent, they may not consider the significance of the information they are providing access to and what Google may elect to do with their data in the future.  A case can be made that Google essentially “forced” users into agreeing to its new privacy policy, as you could not continue to use Google services without doing so.  However, by actively “opting in” to the new Google Now program, it becomes more difficult to argue that you did not willingly provide Google with access to your data.  So for now, users need to be aware of what they are providing access to.

The issue of whether CGL policies cover junk fax liabilities under the federal Telephone Consumer Protection Act (TCPA) has largely faded from view.  During the 2004-2010 period, insurers won several key victories in federal courts only to lose much of this ground through adverse state supreme court rulings on the key issue of whether a consumer's receipt of a fax constituted a covered "personal injury" as involving the publication of material that invaded a person's right of privacy.  At the same time, however, the widespread use of TCPA exclusions after 2007 and the growing awareness of most business concerning TCPA exposures substantially reduced the number of coverage disputes.

Although the junk fax wars are no longer on page 1 of the coverage news, a number of recent decisions make clear that the wars continue and, indeed, are being fought on several different fronts.  In particular, insurers have recently argued with success that the $500 statutory damages allowed under the Act are a type of penalty or punitive damages for which coverage is unavailable as a matter of public policy.

In Illinois, where the state supreme court ruled in Valley Forge Ins. Co. v. Swiderski Electronics, Inc., 860 N.E.2d 307 (Ill. 2006) that TCPA claims trigger "personal injury" coverage, the intermediate appellate court ruled last month that there is no duty to indemnify such claims because the $500 statutory penalty for sending unauthorized telefaxes is a form of punitive damages and thus uninsurable under Illinois law.  

In Standard Mut. Ins. Co. v. Lay, No. 4-11-0527 (Ill. App. April 20, 2012), the insurer agreed to defend TCPA claims under a reservation of rights.  The insured insisted on Peppers counsel, however, who negotiated a settlement with class action claim representative for the full amount demanded ($1,739,000) in consideration of an agreement to only pursue recovery from Standard Mutual's policy proceeds.  In affirming a lower court's ruling in favor of Standard Mutual, the Appellate Court noted that actual cost in loss of paper, toner and ink caused by receiving a fax is far less than $500, the purpose of this award must be one of deterrence and not compensation.  It ruled, therefore, that these damages were in the nature of a penalty that, as with punitive damages, is uninsurable as a matter of public policy in Illinois.

More recently, a divided panel of the Missouri Court of Appeals (Eastern District) took a slightly different approach in reaching the same result.  In Olsen v. Siddiqi, No. ED 97455 (Mo. App. May 9, 2012), a class of TCPA claims pursued a garnishment demand for $4.9 million against a telemarketer's liability insurer (American Family) that the plaintiffs had obtained by way of a consent judgment that could only be satisfied through the policy proceeds without risk to the insured.  Although a trial court found coverage, American Family appealed on the grounds that the claims were not for "property damage."

In reversing and finding no coverage, the Missouri appellate court ruled 2-1 that the claims were not "damages" on account of "property damage."  The court distinguished the Eighth Circuit's Missouri ruling in Universal Underwriters Ins. Co. v. Lou Fusz Automotive Network, 401 F.3d 876 (8th Cir. 2005), noting that the policy at issue in that case had expressly defined damages as including punitive damages (where insurable by law).  The Missouri Supreme Court has ruled that fines and penalties are not insurable "damages" unless the policy expressly provides to the contrary.  In this case, the majority declared that the option of recovering statutory damages under the TCPA had a penal purpose and that $500 damages are therefore not insurable.  (The court also rejected the insured's claim for "personal injury" coverage, noting that he had expressly given up this coverage by endorsement).  A minority opinion argued that the loss of toner and fax paper is clearly "property damage."  Justice Mooney also claimed that a $500 award is, in fact, remedial and that it only the provision for trebled damages in the event of intentional TCPA violations that has a penal purpose.

TCPA claims also remain a source of tension between state and federal courts.

In Illinois, state and federal courts have reached conflicting conclusions as to whether the "personal injury" requirement that a "person's right of privacy be invaded precludes CGL coverage for business interests that receive junk faxes.  In Maxum Ind. Co. v. Eclipse Mfg. Co., No. 06 C 4946 (N.D. Ill. June 13, 2011) Judge Lefkow ruled that businesses have no right of privacy and therefore cannot claim coverage, Swiderski notwithstanding.  By contrast, the First Division of the Appellate Court ruled a few months later in Pekin Ins. Co. v. Xdata Solutions, Inc., 958 N.E.2d 397 (Ill. App. Ct. 2011) that a corporation can be a "person" whether the issue is presented under Illinois or Indiana law.

In Massachusetts, where the Supreme Judicial Court followed the Swiderski court's lead in finding CGL coverage for TCPA claims presented under ISO forms in Terra Nova Ins. Co. v. Evan Fray-Witzer, 869 N.E.2d 565 (Mass. 2007), the First Circuit took a different view under different language in the St. Paul general liability policies which required that the insured "make known" material that invades privacy interests.  In Cynosure, Inc. v. St. Paul Fire & Marine Ins. Co., 645 F.3d 1 (1st Cir. 2011), the First the reference to "makes known" clearly requires that the privacy interest be invaded by the content of the communicated materials, not the means of communication consistent with the holdings of the U.S. Courts of Appeal for the Third and Fourth Circuits construing similar wordings.  Writing for the court, former U.S. Supreme Court Justice David Souter declared that "what logic and definition require, syntax confirms."

Finally, disputes persist with respect to the scope of TCPA exclusions that have been a mandatory endorsement to CGL forms since 2007.  This exclusion was upheld by a federal district in a recent Houston case.

A federal judge in Houston ruled in Rick's Cabaret International, Inc. v. Indemnity Ins. Co., No. H-11-3716 (S.D. Tex. January 24, 2012)(insurer was relieved of any duty to defend TCPA claims against its insured by reason of an exclusion in its policy for claims arising out of or relating to "actual or alleged violation of United States Federal Communications Commission rules, regulations, interpretations, policies, statutes, laws or codes").  Even so, insureds and garnishment claimants are succeeding to avoid these exclusions by claiming recovery on common law grounds.

Additionally, the ubiquity of TCPA exclusions in CGL policies is forcing claimants to broaden the scope of their coverage search, exploring claims under E&O or D&O policy that may lack such exclusions.  For instance, in Landmark American  Ins. Co. v. NIP Group, Inc., No. 1-10-1155 (Ill. App. December 5, 2011), the Illinois Appellate Court ruled that that an insurance agency's use of junk faxes to market its services potentially involve the rendering of or failure to render "professional services" so as to trigger its E&O policy.  The First Division noted that as the Landmark policy provided coverage for "advertising liability," the insurer could not argue that advertising could never involve a professional service.

Apart from these coverage issues, the key factor driving insurer exposures to TCPA claims is the risk of class certification.  It remains to be seen how much the U.S. Supreme Court's 2011 Walmart opinion and other opinions addressing Rule 26 certification will create larger roadblocks to class certification of these claims.  In the interim, the Georgia Supreme Court is now considering an appeal that present the novel issue of how such damages should be calculated.

In A Fast Sign v. American Home Services Co., a Georgia trial court determined that the insured had intentionally violated the TCPA by issuing 306,000 junk faxes.  Accordingly, the court awarded damages to the certified class totaling $459 million.  The Georgia Court of Appeals ruled on May 29, 2011 that TCPA liability hinged on a consumer's receipt of a fax and that it was therefore error to award damages based on the number of faxes issued.   The plaintiff's appeal was argued before the Georgia Supreme Court on May 21, 2012.

Three law firms based in Austin, Texas recently filed suit on behalf of 13 people claiming that almost 20 apps, including Facebook, Foursquare, Yelp and Twitter, violate policies put in place by distributers such as Apple’s App Store, Amazon’s App Store and Google Play.  The American Statesmen reports that the violations are a result of mobile apps “stealing” address book data, such as names, phone numbers, email addresses and even birthdays.  The lawsuit seeks to stop app developers from harvesting data without permission.  The complaint cites an industry publication that claims the information collected could be worth 60 cents to several dollars per contact. 

A New York Times article investigating contact mining recently noted that “the address book in smartphones — where some of the user’s most personal data is carried — is free for app developers to take at will, often without the phone owner’s knowledge.”  The app developers use the data in an effort to expand the number of people using their program.  Developers use email addresses to target potential new customers and to target advertisements.  Several companies, including Path, a social networking site, have issued apologies regarding “how [their] application used your phone contacts.” 

Attorney Richard Newman, an Internet law attorney and managing partner of the Hinch Newman firm, with offices in both California and New York, thinks that the lawsuits are starting to have an impact.  Mr. Newman stated “the mobile communications industry is finding that failing to properly inform consumers of what is happening to their information is increasingly grabbing the attention of regulatory authorities, including the Federal Trade Commission.”  Until a regulatory framework is hammered out to govern emerging data privacy issues, litigation may be one of the only things keeping pace with technology development.  

A growing trend among employers is requesting applicants’ usernames and passwords to gain access to restricted social media in order to investigate applicants during the hiring process.  In response to this trend, Illinois and Maryland have each recently proposed laws that would essentially ban employers from requesting this type of information.  The main arguments for and against the proposed laws are centered around constitutional privacy concerns, however,  employers should consider that restricting their hiring personnel’s access to this type of information is not as harmful as some opponents have argued.