Aug 312009
 August 31, 2009  Posted by  Court, Online, Workplace

Attorney Evan D. Brown discusses a case that sheds some light on how courts may view a privacy invasion claim of “intrusion on seclusion” when a firm’s employee email is hosted in the cloud:

Local elected official Steinbach had an email account that was issued by the municipality. Third party Hostway provided the technology for the account. Steinbach logged in to her Hostway webmail account and noticed eleven messages from constituents had been forwarded by someone else to her political rival.

Steinbach sued the municipality, her political rival and an IT professional employed by the municipality. She brought numerous claims, including violation of the Federal Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. She also brought a claim under Illinois common law for intrusion upon seclusion, and the court’s treatment of this claim is of particular interest.


Finally, the defendant argued that the intrusion was authorized, looking to language in the Federal Wiretap Act and the Stored Communications Act that states there is no violation when the provider of an electronic communication services intercepts or accesses the information. The court rejected this argument, finding that even though the municipality provided the email address to Steinbach, Hostway was the actual provider. The alleged invasion, therefore, was not authorized by statute.

The court’s analysis on this third point could have broader implications as more companies turn to cloud computing services rather than hosting those services in-house. In situations where an employer with an in-house provided system has no policy getting the employee’s consent to employer access to electronic communications on the system, the employer—as provider of the system—could plausibly argue that such access would be authorized nonetheless. But with the job of providing the services being delegated to a third party, as in the case of a cloud-hosted technology, the scope of this exclusion from liability is narrowed.

Read more on CircleID
The case is Steinbach v. Village of Forest Park, No. 06-4215, 2009 WL 2605283 (N.D. Ill. Aug. 25, 2009)

Aug 312009
 August 31, 2009  Posted by  Featured News

The 3rd International conference on IPRs, Personal Data Protection and National Security is to be held on October 20 – 22, 2009 in Beirut, Lebanon. The conference is co-organised by Lebanese Information Technology Association (LITA) and International Association of Cybercrime Prevention (AILCC) and hosted by University of Saint Joseph in Beirut. The event is held in cooperation with Interdisciplinary Center for Law and ICT , Belgium; The Higher Council for Science and Technology, Jordan ; The Ministry of Administrative Reform, Lebanon and Microsoft Lebanon.

More information here and here [pdf].

Aug 312009
 August 31, 2009  Posted by  Breaches, Business, Non-U.S., Surveillance, Workplace

The Privacy and Information Security Law Blog reports that earlier this month,

the state DPA in North Rhine-Westphalia fined a subsidiary of the discount supermarket chain Lidl € 36,000 (approximately $51,000) for illegally keeping records of employee health data.

To compound the employee privacy breach with a security breach, it seems that the case was triggered by a report in the German news magazine Der Spiegel after someone found papers and forms containing Lidl employees’ health data in a trash bin at a car wash.

Subsequent investigations revealed that at least four Lidl branches in North Rhine-Westphalia were using a form to record data about employees’ medical conditions, partly without their knowledge. This activity was found to violate data protection law in many cases.

Aug 312009
 August 31, 2009  Posted by  Court, Featured News, Non-U.S.

Julian Assange of WikiLeaks writes that:

A California court has issued a subpoena demanding Google reveal the IP addresses of journalists writing for a corruption busting journal from the Caribbean.

The August 28 subpoena [pdf], issued by the Superior Court, County of Santa Clara, as part of a “libel tourism” action taken by non-US property developers, demands detailed information about the operators of “[email protected]”.

The account is the main email address of the TCI Journal, the most influential journal covering the Turks & Caicos Islands.


According to the notifying letter from Google to the Journal, Google intends to hand over the requested records in just over two weeks, without any defense, and states that the Journal may file a counter-motion with the Santa-Clara court itself.

More background on the issues leading to the subpoena are available on