California Privacy Law -- Sunshine Law by DarrenChaker

VIEWS: 137 PAGES: 12

More Info
                                   & authoritiesQ U A R T E R LY             N E W S L E T T E R

          B U C H A L T E R      N E M E R                                                        SPRING 2006

                                   Reasonable Security Procedures
                                   and Practices (RSPP)
                                   Security Requirements on Companies that Own
                                   or License Personal Information

                                   MICHAEL L. WACHTELL & RICHARD P. ORMOND

                                   Two new California laws, effective January 1, 2006, may significantly affect
                                   companies that do business with California residents. These new laws impose
                                   new requirements on businesses with respect to the maintaining and sharing
                                   of personal information about California residents.

                                   Prior California law regulated some aspects of the handling of customer
 IN THIS ISSUE                     records. For example, prior law required that a business take all reasonable
                                   steps to destroy a customer’s records in its custody or control when they are
                                   no longer to be retained. Specifically, businesses were and are required to
  2   POINTS FROM THE              shred, erase, or otherwise modify the personal information in those records
      PRESIDENT                    to make it unreadable or undecipherable through any means. Prior California
                                   law also required businesses to disclose to their customers and others any
                                   breach of the security of any system, when that breach might have allowed
  2   NEW FACES                    an unauthorized person to acquire unencrypted personal information about a
                                   California resident.
  3   BALANCING EMPLOYEE                                                                   Continued on page 7
                                   Preempted or Not? Federal Courts Debate
  4   IS YOUR COMMERCIAL           Viability of Affiliate Sharing Provision in
      WEBSITE IN COMPLIANCE        California’s Financial Information Privacy Act

                                   The California Financial Information Privacy Act, Cal. Fin. Code §§ 4050, et
                                   seq., took effect on July 1, 2004. This new law, commonly known as “SB 1,”
      PAY $3,000                   was intended to provide greater privacy protections than those provided under
                                   the federal Gramm-Leach-Bliley Act. One key provision of SB 1 prohibits a
  8   ATTORNEY PROFILE             financial institution from sharing a consumer’s nonpublic personal information
                                   with an affiliate unless the financial institution notifies the consumer annually
                                   that the information may be disclosed to an affiliate unless the customer
                                   objects. Several trade associations, however, have challenged successfully (so
                                   far) this affiliate sharing provision of SB 1.
                                                                                           Continued on page 8
New Faces                                 Points from the President
At Buchalter Nemer
                                          RICK COHEN

          JAMES P. ARMSTRONG              This issue of Points & Authorities tackles
          Phoenix                         a topic that is both controversial and
          Shareholder                     unavoidable as it analyzes the dilemma
          Labor & Employment              every company faces in balancing the
          (602) 234-0563                  benefits of sharing information and
        protecting privacy. When identical
                                          information is unrestricted in one
                                          instance and protected the next, how do
          D. CHRISTOPHER JOHNSON          business owners conduct business in a
          Los Angeles                     digital world without exposing themselves
          Associate, Real Estate          to liability?
          (213) 891-5110
          In an effort to simplify this complex subject for you, we’ve devoted
                                          this issue of Points & Authorities to the laws governing privacy,
                                          some of which became effective as recently as January 2006.
                                          Mike Wachtell and Richard Ormond open this issue with an update
          Senior Counsel, Real Estate
                                          on security requirements for companies that license personal
          (602) 234-0563
                                          information; Karin Peterka tells you how to keep your commercial

                                          website in compliance with California law and Holly Fujie
                                          sheds light on the “Shine the Light” law. The courts’ position on
                                          balancing employee expectations of privacy against an employer’s
                                          need for information is explained by Morley Mendelson and Lisa
          CARRIE Y. LEE                   Jacobsen.
          Los Angeles
          Associate, Business Practices   This quarter we are pleased to profile attorney Clayton Friedman.
          (213) 891-5013                  A former Assistant Attorney General and shareholder resident in
              our Orange County office, Clay leapfrogs the country, counseling
                                          clients nationwide on how to stay within the bounds of the
                                          myriad regulations that govern how a company interacts with
                                          its consumers. This includes recognizing the fine line between
          SHELLY MCTEE                    advertising and overselling, direct marketing issues, and
          Phoenix                         government regulation and relations.
          Shareholder, Real Estate
          (602) 234-0563                  We hope that you will not only enjoy this issue of Points &
            Authorities, but that you will reach out to any one of Buchalter
                                          Nemer’s talented attorneys to answer your specific questions.
                                          Buchalter Nemer is growing, so please visit our New Faces column
                                          as well.
          Los Angeles
                                          We look forward to speaking with you.
          Associate, Litigation
          (213) 891-5104

                                          Rick Cohen
                                          President and Chief Executive Officer

Balancing Employee Expectations
of Workplace Privacy Against an
Employer’s Legitimate Need for

Although there has always been a tension between an employee’s expectation
of privacy and an employer’s legitimate interest in monitoring employee
conduct, as high technology has taken over the way business is conducted, the
spotlight on employee privacy rights has become brighter and more focused.
Computers are now a predominant force in the workplace. The employer’s
ability to monitor employee use of e-mail, voice-mail, document control
systems, network and Internet capabilities has given rise to new conflicts, and
the potential for litigation, in the employee privacy realm.
                                                                                  “A ‘reasonable expectation
Specifically, what may start out as a legitimate exercise of employer rights may   of privacy is an objective
end up being an inappropriate invasion of an employee’s rights. For example,
take the case of John who is looking for a critical company document and
                                                                                  entitlement founded on
Ann, John’s subordinate. John looks for the document on Ann’s computer            broadly based and widely
because Ann is out for the day and she was the last one to have the document.
In a standard document search, John inadvertently discovers a number of
                                                                                  accepted community
documents on Ann’s computer that do not relate to the document being sought.      norms,’ and ‘the presence
John begins to read them. John quickly discovers that they are very personal      or absence of opportunities
and private, but he continues to read them anyway.
                                                                                  to consent voluntarily to
Does John’s employer have any liability here? If the employer has a policy        activities impacting privacy
putting the employee on notice that the employee should have no expectation
of privacy with respect to the employer’s computers in the work place, is the     interest obviously affects
employer relieved of liability? There is no easy answer to these questions.       the expectations of the
Although, ideally, employee privacy rights should not interfere with an           participant.’”
employer’s ability to run its business, determining the boundaries of proper
employee monitoring and searches can be difficult. In TBJ Insurance
Services Corp. v. Sup.Ct., 96 Cal.App. 4th 443 (2002), the Second Appellate
District of the California Court of Appeal upheld an employer’s right to
search an ex-employee’s home computer provided by his employer for work
related use, despite the fact that the computer contained both business and
personal documents, based upon the employee’s consent in that case. The
TBJ Court relied upon the seminal case Hill v. National Collegiate Athletic
Association, 7 Cal. 1 (1994), in which the California Supreme Court set forth
the “reasonableness test”:

    “A ‘reasonable expectation of privacy is an objective entitlement
    founded on broadly based and widely accepted community norms,’
    and ‘the presence or absence of opportunities to consent voluntarily
    to activities impacting privacy interest obviously affects the expectations
    of the participant.’” Id. at 449, citing Hill at 37.
                                                        Continued on page 9

                                                                                          POINTS & AUTHORITIES   3
                      Is Your Commercial Website in
                      Compliance with California’s Online
                      Privacy Act (OPPA)?
                      KARIN E. PETERKA

                      The California Online Privacy Protection Act (“OPPA”) became effective on
                      July 1, 2004, and is codified in California Business and Professions Code
                      §22575. If you or your company operates a commercial website or online
                      service that collects personally identifiable information through the website
                      or online service from California consumers, you or your company will need
                      to comply with OPPA. Not only does OPPA apply to all businesses that collect
                      information from California consumers, regardless of the location of those
                      businesses, but OPPA also exposes businesses to civil lawsuits, including
                      class actions, for noncompliance.

                      If you or your company operates a commercial website
                      or online service that collects personally identifiable
                      information through the website or online service from
                      California consumers, you or your company will need to
                      comply with OPPA.

                      1. WHO IS SUBJECT TO OPPA?

                      OPPA applies to any operator of a commercial website or online service that
                      collects personally identifiable information from consumers residing in
                      California. “Operator” means the owner of a website or an online service. It
                      does not include third parties who may operate, host, or manage the website
                      or service, or who process information on behalf of the owner. “Personally
                      identifiable information” means personally identifiable information about a
                      particular individual collected online by the operator from that individual
                      and maintained by the operator in an accessible form. Such information
                      includes consumers’ names, addresses, telephone numbers, social security
                      numbers, or any other information that allows operators to contact
                      consumers. “Consumer” means any individual who seeks or acquires goods,
                      services, money or credit for personal, family or household purposes.

2. WHAT DOES OPPA REQUIRE?                                        3. WHEN IS AN OPERATOR IN VIOLATION OF OPPA?

a. Privacy Policy Must Be “Conspicuously Posted”                  An operator of a commercial website or online service under
OPPA requires an operator to conspicuously post a privacy         OPPA will be in violation of OPPA only if the operator fails to
policy on its website or in the case of an online service,        post its privacy policy within 30 days after being notified of
to use reasonable means to make that policy available to          noncompliance. In order to be liable for noncompliance, the
consumers. A privacy policy is considered “conspicuously          operator must have knowingly and willfully, or negligently
posted” if:                                                       and materially, failed to comply with either, (a) OPPA’s
                                                                  posting requirements after notice of noncompliance, or (b)
•      the privacy policy appears prominently on the              the terms of its own privacy policy.
       home page of a website or the first significant page
       after entering the website;                                4. WHAT ARE THE PENALTIES FOR NONCOMPLIANCE
                                                                  OF OPPA?
•      the privacy policy is directly linked to the
       home page or first significant page by means                 OPPA does not set forth specific penalties for noncompliance.
       of an icon that contains the word “privacy” and uses a     However, a failure to comply with OPPA can subject a website
       color that contrasts with the web page’s                   operator to enforcement actions and lawsuits alleging
       background;                                                that the operator engaged in an unfair business practice
                                                                  under California’s Unfair Competition Law (Business and
•      the privacy policy is linked to the home page              Profession Code §§17200-17209). The Unfair Competition
       or first significant page by means of a hypertext            Law may be enforced by government officials seeking civil
       link, provided the hypertext link, (i) contains the word   penalties or injunctive relief. The Unfair Competition Law
       “privacy,” (ii) is written in capital letters that         also allows for private rights of action and has been used
       are at least as large as the surrounding text,             increasingly as the basis for class actions.
       (iii) is written in larger type than the surrounding
       text, or (iv) if the surrounding text is the same          5. WHAT ARE STEPS YOU CAN TAKE TO COMPLY WITH
       size, the link is set apart with a contrasting type,       OPPA?
       font, color, or by symbols or other markings
       designed to call attention to the text link; or,           If you or your company operates a commercial website or
                                                                  online service, consider taking the following steps in order
•      the privacy policy is linked to the home page by           to comply with OPPA:
       means of any other functional hyperlink that is
       displayed so that a reasonable person would notice it.     •       Determine whether your commercial website or
                                                                          online service collects personally identifiable
b. Required Elements of a Privacy Policy                                  information from California consumers and ensure
OPPA requires that your online privacy policy include the                 that such information is secure;
                                                                  •       Create an accurate privacy policy that discloses all
•      identify the categories of personally identifiable                  relevant information in compliance with OPPA;
       information that the operator collects through             •       Post your privacy policy in a conspicuous manner
       the website about the individual consumers;                        on your website in compliance with the requirements
                                                                          of OPPA;
•      identify the categories of third parties with whom
       the operator may share that personally identifiable         •       Conduct regular audits of your privacy policy to
       information;                                                       ensure compliance; and,

•      describe the process for a consumer to review              •       Institute internal procedures for employees to
       and request changes to his or her personally                       ensure compliance and to prevent privacy
       identifiable information, if the operator maintains                 breaches.
       such a process;

•      describe the process the operator will use to notify       If you have any questions about OPPA or would like
       consumers of any material changes to the privacy           assistance complying with OPPA or reviewing your
       policy; and,                                               existing privacy policy for OPPA compliance, please
                                                                  contact Karin Peterka, a Shareholder in the Intellectual
•      identify the effective date of the privacy policy.         Property Group at Buchalter Nemer. She can be reached
                                                                  at (213) 891-5280 or by email at

                                                                                                 POINTS & AUTHORITIES         5
“Shine the Light” or Pay $3,000

Selling or disclosing personal information about your            If you have provided customer information to third
customers can become a pricy business unless you comply          parties, then you are required to provide the customer,
with the “Shine the Light” law (California Civil Code,           free of charge, with a written list the categories of
Section 1798.83). That law states that if your business          personal information disclosed, the names and addresses
disclosed personal information about a customer with             of all third parties that received the information and, if
whom you have an “established business relationship”             necessary, the nature of their businesses. Responses need
to a third party who you “reasonably should know” may            not be customized; a standard form response is sufficient
use the information for direct marketing purposes, you           and the information only needs to be provided to each
must disclose that to the customer free of charge upon the       requesting customer once per year.
customer’s request. This law only applies to businesses
with 20 or more employees.                                       The law also requires that you designate a mailing
                                                                 address, email address or toll-free telephone number to
The type of information sharing covered by this law that         which customers may deliver requests, as well as make
would trigger the obligation to disclose that information        sure that all employees with regular customer contact
sharing to the customer, is information that can be used to      have this contact information and are instructed to pass
identify a particular individual. The range of information       that information along to customers who inquire, or be
is broad and includes name, address, telephone number,           able to tell customers how to obtain that information. You
e-mail address, social security number, bank account             must also add a link to the home page of your website that
number, credit card number, debit card number, bank              says “Your Privacy Rights” or add those words to the home
or investment account, debit card or credit card balance         page’s link to your privacy policy. The size, font and color
or payment history; age or date of birth; names, email           of that link, and the content of the privacy information
or addresses, number, age or gender of children, height,         provided, are detailed in the statute.
weight, race, religion, occupation, education or political
party affiliation; medical condition, drugs, therapies            A response to the request at the designated addresses
or medical products or equipment used; the kind of               or numbers must be provided within 30 days. Requests
product the customer purchased, leased or rented or              made to other addresses or numbers must be responded
the kind of service provided; real property purchased,           to within a reasonable time (not exceeding 150 days or
leased or rented; or information related to the customer’s       about five months).
creditworthiness, assets, income or liabilities.
                                                                 A business that fails to comply with this statute can be
A “third party” under the Shine the Light law is an              sued for damages by any customer injured by violation of
unaffiliated separate legal entity provided with the              this law. The Court may also impose additional statutory
covered information, including one that has access to a          damages of up to $500 per violation and up to $3000 for
shared database which contains such information. It is not       any willful, intentional or reckless violation of the statute. In
a disclosure under the statute if the third party is merely      those instances in which the violation was not intentional,
involved in the storage, management or organization              a defense to the claim is that the business provided the
of information, and if you know that it has not used the         requested information to the customer within 90 days of
information for direct marketing, the maintenance or             the date the business knew that it had failed to provide the
servicing of accounts, public record information or the          requested information.
joint offering of services or product. (Financial institutions
subject to the California Financial Information Privacy          To learn more about whether this law applies to your
Act are not covered by this statute if they are otherwise in     business, please contact Holly Fujie at Buchalter Nemer.
compliance with Sections 4052, 4052.5, 4053, 4053.5 and          Holly Fujie is a Shareholder in the Los Angeles office.
4054.6 of the Financial Code.)                                   She can be reached at (213) 891-5085 or by email at

Reasonable Security Procedures and Practices (RSPP)
Security Requirements on Companies that Own or License Personal Information


Prior California law did not, however, specifically require       of action, and class actions against businesses engaged in
a business to implement and maintain procedures and              unfair competition.
practices to protect personal customer information, nor
did existing law provide a right of a California resident to     WHAT CAN MY BUSINESS DO TO ENSURE
learn what information has been disclosed to third parties.      COMPLIANCE WITH SECTION 1798.81.5?
Assembly Bill 1950 (“AB 1950”), which adds section
1798.81.5 to the California Civil Code (“Section 1798.81.5”),    All businesses that conduct any business in California, or
imposed these requirements for the first time.                    with California residents, probably maintain, or have the
                                                                 potential of maintaining, some sort of unencrypted personal
With the new law, companies that own or license                  information as defined by Section 1798.81.5. Therefore,
unencrypted personal information must “implement and             unless your business is exempt from the requirements of
maintain reasonable security procedures and practices”           Section 1798.81.5 (because the business is already subject
for that data. The statute does not detail the level of          to a more protective state or federal law), management
security required but states that it must be “appropriate        should consider taking the following actions to ensure
to the nature of the information to protect the personal         compliance:
information” from unauthorized access, destruction, use,
modification or disclosure.                                       1. Identify the kinds of personal information that the business
                                                                 collects and maintains. Be sure to include paper-based as
The statute defines “personal information” as including an        well as electronically-stored personal information.
individual’s name in combination with one or more of the
following data elements, if either the name or data element      2. Determine the level of risk that the potential loss or
is unencrypted or unredacted: (i) social security number;        unauthorized disclosure of information poses to your
(ii) driver’s license or California identification card number;   business and to the public. It may be helpful to create a
(iii) account number in combination with a security code or      risk-rating system for this purpose, and assign each piece
password; and (iv) medical information.                          of personal information maintained a high, medium, or low
                                                                 risk category.
It should be noted, however, that the new law excludes from
its definition of “personal information” any information          3. Use the risk analysis to determine if your business’s security
that is encrypted or redacted. Therefore, a business that        measures and procedures are “reasonable.” In making this
encrypts all personal information stored on its computers        determination, weigh the costs of the protection that your
will only need to worry about adequately protecting non-         business currently provides (e.g., data encryption, backup,
computer based information (e.g., paper reports containing       fire safes, internal procedures, locked cabinets, insurance,
personal information, customer receipts, etc.). Third party      etc.), against the damages that the business would sustain if
internet service providers and website hosts are not directly    the data were to be lost or improperly disclosed.
regulated by RSPP.
                                                                 4. If necessary, adjust procedures and practices so that
Further, companies subject to this law may only disclose such    the type and level of protection provided to the personal
information to unaffiliated third parties who contractually       information is appropriate for degree of risk of loss or
agree to maintain reasonable security measures. Under RSPP,      improper disclosure of that information.
any business entering into a contract with a nonaffiliated
third party that discloses personal information, must also       Buchalter Nemer strongly encourages every business to
require, by contract, that the third party implement and         document the risk analysis described above, as well as the
maintain reasonable security procedures and practices            company’s standard operating procedures that will ensure
containing information about California residents.               compliance with Section 1798.81.5. This is because, in
[Businesses that comply with stricter privacy laws, such         the event that a person brings an action for violation of
as health care providers and entities covered by Health          AB 1950, the business will be able to demonstrate that its
Insurance Portability and Availability Act (“HIPPA”), are        protective measures are not only reasonable, but that the
deemed to be in compliance with the California law].             business, in fact, adheres to them.

WHAT ARE THE CONSEQUENCES OF FAILING                             Michael L. Wachtell is a Shareholder in the Los Angeles
TO COMPLY WITH SECTION 1798.81.5?                                office. He can be reached at (213) 891-5460 or by email
A violation of Section 1798.81.5 could subject the business to
a lawsuit under California’s Unfair Competition Law, which       Richard P. Ormond is an Associate in the Los Angeles
classifies “unlawful business conduct” as one form of unfair      office. He can be reached at (213) 891-5217 or by email
competition, and provides for civil penalties, private rights    at

                                                                                                 POINTS & AUTHORITIES          7
Preempted or Not? Federal Courts Debate Viability of Affiliate Sharing
Provision in California’s Financial Information Privacy Act

In 2004, the American Bankers Association (ABA), the            capacity,     character,     general  reputation,   personal
Financial Services Roundtable and the Consumer Bankers          characteristics, or mode of living” [§ 1681a(d)(1)], and
Association filed suit in federal court against California       be used for an authorized purpose (namely, to establish
Attorney General Bill Lockyer seeking to enjoin the             eligibility for credit, etc.). Am. Bankers Ass’n v. Lockyer,
enforcement of the affiliate sharing provision of SB 1.          2005 WL 2452798, *2 (E.D.Cal.,2005).1          The Attorney
American Bankers Ass’n v. Gould, 412 F. 3d 1081 (2005).         General and other defendants argued that although SB 1
These associations argued that SB 1 is preempted by the         regulates information falling within the scope of § 1681a,
Fair Credit Reporting Act, 15 U.S.C. §§ 1681, et seq.,          nonetheless “a vast sea of information exists that does
(“FCRA”). That act regulates the issuance and use of            not meet the purpose prong of information as defined
“consumer reports” by credit reporting agencies. However,       under FCRA.” The district court dismissed this argument,
some financial institutions were uncertain about whether         and agreed with the plaintiffs that it would be virtually
the communication of information to affiliated institutions      impossible to ascertain in advance the purpose to which
constituted a “consumer report” subject to the FCRA. In         information was going to be used. In other words, an
response to these concerns, Congress amended the FCRA           institution might gather information for a FCRA-authorized
in 1996 to exclude some communications of some kinds of         purpose, believing in good faith that it was not governed by
information between affiliated financial institutions from        SB 1, then fail to use the information for that purpose – in
the definition of a “consumer report.” At the same time,         violation of SB 1:
Congress added a clause to the FCRA preempting state
laws. See 15 U.S.C. § 1681t(b)(2).
                                                                “This creates the untenable situation of forcing
On cross-motions for summary judgment, the district             California financial institutions to either risk
court granted summary judgment in favor of the California       violation of SB 1 or comply therewith whether
Attorney General, holding that SB 1 is not preempted in any
way by FCRA. The Ninth Circuit reversed the district court’s    or not the information is for an FCRA authorized
ruling, citing the “affiliate-sharing preemption clause” of      purpose.
FCRA, 15 U.S.C. § 1681t(b)(2) which preempts “all state
requirements and prohibitions on the communication of           The district court also ruled that the unconstitutional
information between affiliated parties.” Gould, 412 F. 3d at     applications of SB 1’s affiliate sharing provision could not
1086 (internal quotations omitted); 15 U.S.C. § 1681t(b)(2).    be severed, and declined to “rewrite SB 1 to excise those
The Court interpreted the word “information,” as used in        applications that are unconstitutional.”
the FCRA preemption clause, consistently with its restricted
meaning elsewhere in FCRA. Because FCRA preempts                The district court’s decision was undoubtedly welcomed
states from enacting more protective laws regulating            by those financial institutions that opposed California’s
consumer credit information, the Court reasoned, California     extension of the privacy protections of the Gramm-Leach-
was thus preempted from regulating “the communication           Bliley Act. However, Attorney General Bill Lockyer has
between affiliates of ‘information,’ as that terms in used in    appealed the district court’s decision and a briefing schedule
§ 1681a(d)(1).” The Ninth Circuit remanded the case to the      has been set. Thus, the legal saga of SB 1 will continue.
district court to consider “whether, applying this restricted
meaning of ‘information,’ any portion of the affiliate sharing   1
                                                                    Case No. S04-0778 (E.D.Cal. Oct. 4, 2005) (England, J.).
provisions of SB 1 survives preemption and, if so, whether
it is severable from the portion that does not.”                Keith Paul Bishop is a Shareholder in the Orange County
                                                                office. He can be reached at (949) 224-6293 or by email at
On remand, the district court ruled that for information
sharing to be preempted under FCRA, it must concern
a consumer’s “creditworthiness, credit standing, credit

Balancing Employee Expectations of Workplace Privacy Against
an Employer’s Legitimate Need for Information

Because of the wide variety of work environments, and circumstances
surrounding consent, the courts have determined the question of
whether employees have reasonable expectations of privacy in their
work areas and in the technology they use on a case-by-case basis.
The key factors in limiting employee’s expectations in this regard,
however, are consent and prior notice. If an employer has a clear
policy allowing for reasonable searches of employee areas, computers,
e-mail, voice-mail and Internet usage, its employees’ expectations of
privacy should be diminished.

The employer’s search policy should be written, easily understood,
regularly reviewed and updated. The policy should contain language
that the workplace and technology provided by the employer is for
work related usage only, and that the employer may search employee
areas, computers, voice-mail, e-mail and Internet usage. Employee
acknowledgement, in writing, of this policy is one way to confirm, in
advance, that employees are subject to applicable search policies and
have consented to those policies. That being said, employers may
also seek express written consent before proceeding with a search.
Searches of areas or technology that are not explicitly mentioned in
the employer’s policy may also be supported, in certain cases, by a
compelling business reason that supports such a search.

Because of the case-by-case nature of such matters, it is wise to consult
labor counsel prior to conducting an employee search or taking any
action against an employee based upon the material uncovered by
the search. Counsel should also be consulted when creating company
policies dealing with employee privacy issues since the legal landscape
in this area is ever changing. Providing advance notice of what
employees can and cannot expect to remain private in the workplace
cannot be over emphasized. Reducing the employee’s expectation of
privacy is one of an employer’s best defenses against allegations of
invasion of privacy.

Morley G. Mendelson is Of Counsel in the Los Angeles office.
He can be reached at (213) 891-5117 or by email at

Lisa M. Jacobsen is Of Counsel in the Los Angeles office. She can be
reached at (213) 891-5027 or by email at

                                                                            POINTS & AUTHORITIES   9
                                ATTORNEY PROFILE
                                Clayton Friedman

                                If your business interacts with consumers, Clayton Friedman should be on
                                your radar screen. About to launch that new online advertising campaign?
                                Think again. Increased scrutiny by regulatory agencies and the potential for
                                liability make any new marketing effort a risk, unless of course, Clay has given
                                it his blessing.

                                The former Missouri Assistant Attorney General and Chief Counsel of the
                                National Association of Attorneys General Consumer Protection Project is well-
                                versed in the nuances of consumer law and the complex maze of regulations
                                that govern how your business communicates — be it through advertising,
                                direct marketing or special promotions.

                                More and more industries today — insurance, healthcare, Internet,
       A straight talker from   telecommunications, automotive and consumer finance to name just a few
       America’s Midwest,       — are subject to intense scrutiny by federal and state agencies charged with
                                making sure that people are protected in their business transactions. Whether
       Clay is a member         you sell a product or provide a service, whether yours is a brick-and-mortar
                                business or a virtual provider, the government takes the position that the
       of both the business     customer is always right, seriously.
       transactions and
                                Criss-crossing the country, Clay takes a proactive approach. He counsels
       litigation practice      clients to implement communications strategies that keep state Attorneys
       groups focusing on       General and regulatory agencies knowledgeable about their industry’s best
                                practices and develop relationships that keep two-way channels open. He and
       multi-state regulatory   his team, who have 40 years of government experience combined, offer in-
       work, e-commerce,        house review of your business’s customer-service policies, marketing training
                                programs or new campaigns, to minimize risk and maximize potential before
       antitrust matters and    your hard work gets the kibosh by a regulator. When the sudden or unexpected
       consumer protection.     government action does occur, Clay and his rapid response team of attorneys,
                                are primed to move in swiftly.

                                A straight talker from America’s Midwest, Clay is a member of both the business
                                transactions and litigation practice groups focusing on multi-state regulatory
                                work, e-commerce, antitrust matters and consumer protection. He has also
                                developed an extensive e-commerce practice handling advertising, marketing,
                                privacy and regulatory issues affecting Internet marketing and sales.

                                Clay Friedman can be reached at Mr. Friedman
                                is admitted to practice in Illinois and Missouri; his California admission is

                                                                Los Angeles San Francisco Orange County Phoenix

                         Committed to the idea that success is collaborative, Buchalter Nemer’s
                         professionals provide value and superior legal services to their
                         clients across an array of industries in local, regional, national and
                         international venues.

                                                                                             Buchalter Nemer Los Angeles office lobby

Points & Authorities
Points & Authorities is published as a service to our clients and friends. Its articles are synopses of particular developments
in the law and are not intended to be exhaustive discussions or relied upon as conclusive. The authors are pleased to discuss
the information contained in their articles with you in greater detail.

To reprint articles that appear in the Points & Authorities, please contact Lisa Holloway-Shinn, in the Marketing Department
by e-mail at or (213) 891-5623.

                                                                                               POINTS & AUTHORITIES           11
  BuchalterNemer                           PRESORTED
  1000 Wilshire Boulevard, Suite 1500
                                          U.S. POSTAGE
  Los Angeles, CA 90017-2457
                                        LOS ANGELES, CA

To top