Legal Report August 2005
U.S. JUDICIAL DECISIONS
Alarms. An Oregon appeals court has ruled that the police search of a citizen’s home in response to a false burglar alarm was illegal.
On the evening of February 23, 2002, the burglar alarm went off at Damon Stoudamire’s house in Lake Oswego, Oregon. A professional basketball player, he was a few hours away in Portland, playing in a basketball game. His neighbors called the police.
Police officers arrived at the scene. The back door of the house was open about a foot, and neighbors claimed to have seen an unfamiliar car pull out of the driveway 45 minutes earlier. However, there was no evidence of a forced entry. In compliance with department policy when responding to a burglary call, the officers entered and searched Stoudamire’s house.
The police did not find a burglar, but they did discover a large bag of marijuana. The officers confiscated the drugs and left Stoudamire a false-alarm notice indicating that they had been in the house and why they had been there.
Officers returned to Stoudamire’s house a week later and told him of the marijuana they had found. They charged Stoudamire with possession of a controlled substance. In the run-up to Stoudamire’s trial, defense attorneys moved to suppress the evidence found in their client’s home. Attorneys argued that the officers had no right to search Stoudamire’s home.
Prosecutors argued that the search was valid on several grounds. First, the state argued that Stoudamire had consented to the search when he purchased a burglar alarm and contracted with a company to monitor the alarm and call police when the alarm was triggered. Also, argued prosecutors, the police officers had probable cause to suspect that a crime was being committed and, thus, had the right to conduct the search.
The court ruled that the search had been illegal. This decision was based, in part, on the high false-alarm rate in the area. Between 1996 and 2002, there had been 32 false alarms at Stoudamire’s house. He had been cited seven times under the city’s false-alarm ordinance.
According to the city’s records, more than 99 percent of all residential alarms triggered in Lake Oswego the previous year were false alarms. The court found that because the officers who searched Stoudamire’s house knew this, they also knew that they had no probable cause to conduct the search.
The state appealed the decision to the state court of appeals. The appellate court agreed with the lower court finding that the search of Stoudamire’s house was illegal. In addressing the state’s argument that the defendant consented to the search when he installed a burglar alarm, the court noted that a person who has an alarm understands that neighbors might call the police if an alarm sounds and that police might enter the house under appropriate circumstances. But, the court noted, “the person does not consent in advance to every entry by the police in response to an alarm.” (State of Oregon v. Damon Lamon Stoudamire, Court of Appeals of the State of Oregon, No. CR02-0915, 2005)
Trade secrets. An Ohio appeals court has ruled in favor of a preliminary injunction barring an employee from using his former employer’s information in his new job. However, the court ruled that some of the information taken by the employee could not be included in the injunction because the company failed to take sufficient steps to protect it.
John Mazur resigned his position as a salesman with Liebert Corporation at 3:30 p.m. on January 20, 2004. Earlier that day, Mazur had downloaded company price books from the corporate intranet and customer lists and buyer histories via the company’s Web site to his personal laptop computer. Mazur began work with Aerico, Liebert’s competitor, six days later. Liebert filed for a preliminary injunction against Mazur to prevent him from using the information to benefit his new employer.
At trial, Mazur testified that he had erased the information and had not used any of the data. However, a computer forensics expert testified that the evidence showed that Mazur had copied the Liebert information to a Zip disk on February 5, 2004, and then erased all of the data from the hard drive of his laptop. However, there was no way to prove that Mazur still had the data.
To determine whether the documents Mazur took were legally trade secrets, the court heard testimony from Phillip Barnett, Liebert’s director of e-commerce, on the security measures used to protect the information. The price books were available through the company intranet but were password protected. They were not available through the company’s public Web site.
In addition, Barnett explained that salespeople needed a unique ID number and password to access the customer lists and buyer histories via the Internet. Passwords were assigned on a need-to-know basis. A confidentiality statement appeared whenever anyone accessed the information online. He also testified that the access codes were changed and the IDs deleted from the system when employees left so that they could not access the information remotely. Hard copies of the information were kept in each office and were available to salespersons.
The trial court denied the preliminary injunction, ruling that while the price books were trade secrets, the company had not proved that the customer lists and buyer histories were trade secrets because they were available through other means. The court also ruled that there was no proof that Mazur still had the information, so the court could not reasonably assume that he planned to use it to benefit his new employer.
The Ohio Appeals Court granted the injunction against Mazur, prohibiting him from using the information in the price books, which were not accessible via the corporate Web site. However, the court ruled that the customer lists and buyer histories could be accessed by the Web site and that the company did not take sufficient security measures to protect them online. The court noted that the company also failed to secure the hard copies of this information.
Further, in the written opinion of the case, the court noted that it was troubled by the company’s “failure to either require employees to sign confidentiality agreements, advise employees that its records were confidential, or label the information as confidential.” There was also no evidence that the company told employees that the information was to be kept secret.
In granting the partial injunction, the court found that there was sufficient evidence to suggest that Mazur intended to use the trade secrets while working for his new employer. Stealing the information and then attempting to cover this fact by erasing the data from the laptop was strong evidence that Mazur knew that the data was valuable and that he should not have it. (Liebert Corporation v. John Mazur, Ohio Court of Appeals, No. 1-04-2794, 2005)
U.S. CONGRESSIONAL LEGISLATION
Information security. At a recent hearing on identity theft, data brokers argued that only limited measures were needed to protect consumers from identity theft, while consumer advocates and identity theft victims disagreed and laid out steps Congress should take.
Representatives from companies such as ChoicePoint, Acxiom Corporation, and LexisNexis shared their stories of data breaches and the theft of information from their computer systems. However, each organization claimed that it had taken steps to tighten security and that limited government intervention was needed.
Jennifer Barrett, chief privacy officer for Acxiom, said that while “appropriately tailored” legislation could benefit companies in protecting consumer information, “even the best security systems imaginable and the strongest laws possible can nonetheless be circumvented by inventive criminals intent on committing fraud.”
According to Barrett, Acxiom supports federal legislation requiring that companies notify consumers in the event of a security breach in cases where the consumer is at risk of identity theft or fraud. (More than 30 states have enacted such laws or are currently considering them.) This is the design of a bill (S. 751) introduced by Sen. Dianne Feinstein (D-CA). The bill would require this notification with exceptions for law enforcement investigations or matters of national security.
However, Marc Rotenberg, president and executive director of the Electronic Privacy Information Center, a consumer advocacy group, told the committee that S. 751 doesn’t go far enough. He told lawmakers that another bill, (S. 798) introduced by Sen. Charles Schumer (D-NY), would better address the issue.
Schumer’s bill would require the Federal Trade Commission (FTC) to establish rules for information brokers and for the protection of the information they gather. The rules would cover data accuracy, confidentiality, user authentication, and detection of unauthorized use. The bill would also give consumers the opportunity to review their information held by data brokers. It also requires that the FTC set up enforcement measures to punish companies that do not comply with the rules.
To read the hearing testimony, visit SM Online.
Port security. Lawmakers and witnesses recently discussed port security issues at a hearing before the Senate Commerce, Science, and Transportation Committee. The key issue raised at the hearing was grant funding for the various federal programs enacted after 9-11.
Among the witnesses was Richard L. Skinner, acting inspector general for the U.S. Department of Homeland Security. He noted that some grant money was expended improperly and numerous funded projects had yet to be completed by port authorities.
According to Skinner, the department had spent $67 million on 258 projects that did not score high enough on evaluations to merit the funding. Of the $515 million granted between June 2002 and December 2003, only $107 million, or 21 percent, had actually been spent on port security improvements. As of September 30, 2004, Skinner testified, “The majority of projects had not been completed, and the program had not yet achieved its intended results in the form of actual improvements to port security.”
However, private sector witnesses testified that the funds had not been used because they had not yet been given to the ports. Jean Godwin, vice president of the American Association of Port Authorities, told lawmakers that only one-sixth of all projects approved under the program had received grant money. Godwin noted that this situation was likely to worsen under the administration’s plan of eliminating the port security grant program and adding the funds to a larger grant program designed to serve security needs for the entire transportation infrastructure, including trains, trucks, buses, and public transportation.
Read the testimony of witnesses and lawmakers at Security Management Online.
Cybersecurity. A bill (H.R. 285) that would establish a national cybersecurity response team to analyze threat information and provide early warning of attacks on the cybersecurity infrastructure has been approved by the House Homeland Security Committee’s Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity. The bill must now be considered by the full committee.
Under the measure, the team would also be tasked with providing information and assistance to restore the infrastructure after an attack. The bill also calls for coordination between government and the private sector to promote information sharing. This information sharing would be used to promote voluntary best practices, standards, and benchmarks in the private sector.
Whistleblowers. A bill (S. 494) that would protect federal employees who disclose information about government wrongdoing has been approved by the Senate Homeland Security and Government Affairs Committee. To proceed, the bill must now be taken up by the full Senate.
The bill would prevent reprisal against government workers who publicly release information regarding waste, abuse, or gross mismanagement in the federal government. Such abuses in relation to secret national defense information can be disclosed to a member of Congress rather than being publicly released, the bill states.
Spyware. A bill (H.R. 744) that would prohibit the use of spyware has been approved by the House and is now pending in the Senate Judiciary Committee.
The bill would prohibit intentionally copying a program onto a computer to commit a crime or to obtain or transmit personal information with the intent to defraud or injure another person or to cause damage to another person’s computer.
The bill provides exemptions for investigations undertaken by a law enforcement agency or a U.S. intelligence agency. The bill does not include an exemption for private security investigations. However, companies would be able to install the software on corporate computers.
Cargo security. Two amendments to the 2006 appropriations bill for the Department of Homeland Security (H.R. 2360) would mandate new cargo security measures. The first amendment would require that all air cargo be inspected before being loaded onto passenger airplanes. This provision would take effect in 2008. The second amendment to the bill, which would take effect immediately after the bill is enacted, would require that passengers be notified that unscreened cargo is being loaded onto their flight.
H.R. 2360 has been approved by the House and is now awaiting action in the Senate.
Private security. A bill (H.R. 2011) introduced by Rep. David Price (D-NC) sets out requirements for private security personnel who perform under federal contracts. Specifically, the law would require that the government issue regulations setting minimum standards. The standards would address who could be hired as a private security officer, minimum training for officers, and required certifications. Under H.R. 2011, these standards could vary based on the duties of various security personnel and whether their job required a security clearance. Regardless of duties, however, the regulations would have to state that anyone with a prior criminal record couldn’t be hired.
The bill has seven cosponsors and has been referred to the House International Relations Committee and the House Armed Services Committee.
U.S. STATE LEGISLATION
Hospital security. A measure (A.B. 6204) under consideration in the New York Assembly would require that private hospital security officers receive 40 hours of comprehensive training in fire prevention, basic criminal law, first aid, and use of restraint. The bill would require that the state develop the training program.
RFID. A bill (S.B. 682) introduced in the California Senate would prohibit state agencies from including RFID tags in identity documents—such as driver’s licenses, student identification badges, and medical cards. The bill’s sponsor, Sen. Joe Simitian (D), indicated in the text of the bill that RFID technology would allow data to be scanned secretly or remotely and, therefore, would greatly magnify the “potential risk to individual privacy, safety, and economic well-being.”
This column should be not be constructed as legal or legislative advice.