Privacy and Data Protection

Privacy Bulletin: Issue No. 61

2012-01-04T14:49:00.005-05:00

U.S. Supreme Court Deciding Extent of GPS Tracking

In the United States v. Jones, the Supreme Court will determine under which circumstances law enforcement agencies are permitted to use technology to collect and use a person’s GPS location information. The Circuit Court rejected the lower court’s conviction of Jones that resulted from law enforcement’s use of Jones’s GPS data on the basis that, with such GPS surveillance, the story told by the sum of information collected is greater than what is revealed by any one bit of information, and that the sum of a person’s location information is private information that is not exposed to the public.

In the November 8 oral argument before the Supreme Court, the Solicitor General of the United States, citing Supreme Court precedent, asserted that law enforcement agencies are permitted to track individuals on public roads, on grounds that people do not have a reasonable expectation of privacy when driving their cars on public roadways. During the argument, Jones’s attorney and the Court addressed whether there is a difference between a traditional police surveillance, such as a police car following a suspect, and police surveillance by GPS tracking, and Jones’s attorney asserted that GPS tracking is an unreasonable invasion of privacy because the human element of the surveillance has been removed. In essence, Jones’s attorney argued that the police could devote unlimited manned resources to surveillance, but that the invasion of privacy stems from the employment of GPS technology to perform unlimited surveillance, because society would not expect the human element (i.e. the physical police presence) would be removed from surveillance.

Ultimately, the decision will have significant bearing on the balancing of two conflicting matters: the extent of the public’s right to privacy versus law agencies desire (and, perhaps need) to effectively track potential criminals and conserve agency resources, an issue that has become increasingly relevant with today’s budget constraints. The future of Business monitoring and surveillance of employees will likely be affected by the outcome of this case, as the court establishes a standard for what society believes to be reasonable in electronic surveillance.

Did Microsoft Force a Stealth Monitoring System on Cellphone Users?

In Cousineau v. Microsoft Corp., W.D. Washington No. 2:11CV0438, a case where the use of cell phones has been used to determine a person’s location, the plaintiff is seeking class action status in a complaint against Microsoft. The case involves whether the Microsoft Windows Phone 7 application surreptitiously forced users into its non-stop geo-tracing program. The plaintiff alleges that even when a user turned off the tracking feature, the information still was sent to Microsoft. In response, Microsoft said there was a software error in the code. Microsoft has filed a motion to dismiss the case.

AccuWeather Accused of Using Weather Report to Pinpoint Customer Location

Goodman v. HTC America [referred to as the AccuWeather Case], filed in the United States District Court, Western District of Washington at Seattle, is one of the first cases to claim that intrusive and unprotected software is a consumer defect under the consumer protection laws filed in. The Plaintiffs alleged that a mobile phone manufacturer and application developer installed the AccuWeather application on their phones ostensibly to provide convenient weather reports, but subsequently used the application to transmit plaintiffs’ locations for other purposes (including “fine” geographic location data, which identifies the latitude and longitude of a particular device's location within several feet at a given data and time). Plaintiffs also claimed that defendants failed to meet accepted baseline information security standards (by transmitting the information in an unencrypted manner), and acknowledged a product defect but failed to alert purchasers, rectify the defect, investigate data usage and/or onward transfer of detailed geographic location data, or remediate the third-party retention of the data.

Medical Company Sued in Class Action After Huge Data Breach

The complaints of Class-action lawsuits filed (in Sacramento County Superior Court and Alameda County Superior Court) against Sutter Medical Foundation and Sutter Physicians Services allege that compromised patients’ data was not properly secured because it was unencrypted and stored in an unsecure location, and that Sutter failed to notify patients that their information had been compromised within the timeframe set forth under California law.

A Sutter company computer, containing the names, addresses, birth dates, phone numbers, and health insurance information of over 3.3 million patients, as well as detailed descriptions of medical procedures and/or diagnoses of more than 900,000 patients, was stolen in mid-October. Information on the computer was protected by password, however, it was not encrypted.

For more information, please contact one of the following attorneys or any member of the Privacy and Data Protection Team.

Ted Claypoole: (704) 331-4910

Jonathan Gross: (704) 350-6370

Privacy Bulletin: Issue No. 60

2011-06-30T11:58:00.002-04:00

U.S. Supreme Court strikes down Vermont law protecting prescription privacy

In a blow to medical privacy and a victory for the direct marketing industry, the Supreme Court ruled that Vermont’s Prescription Confidentiality Law violates the rights of data miners under the Free Speech Clause of the First Amendment. The Court found issue with the law’s provision that absent prescriber consent, pharmacies and similar entities may not sell or otherwise provide prescriber-identifying information for marketing purposes; yet, the same information may be disseminated and used for other purposes, such as education or research. On the surface, the decision is a victory for drug manufacturers and data marketing firms that use doctors’ prescribing history to create more informed and targeted marketing efforts. Many feel the Court’s ruling calls into question the constitutionality of prescription privacy legislation pending in other states, such as Massachusetts, Maine and New Hampshire.

So does this ruling finally answer the question of what the Supreme Court holds more sacred: corporate First Amendment rights or individual privacy concerns? The Center for Democracy and Technology argues no, and that from the beginning the Justices questioned whether the Vermont law was ever intended to protect patient privacy, especially given the federal protections already in place. “The Supreme Court explicitly states that a statute imposing a more comprehensive privacy regime ‘would present quite a different case than the one presented here.’ The court explained that had the state restricted all disclosure except in ‘a few narrow and well-justified circumstances,’ then the court would have viewed the challenge through a quite difference lens.”

Sony hit with additional lawsuits from mid-April breach

The mid-April data breach at Sony that exposed the personal data of over 77 million users of its PlayStation Network and Sony Online Entertainment network has prompted yet another class-action lawsuit–this time by three New York users of the game console. In their complaint, filed in the Southern District of California, plaintiffs allege Sony spent “lavishly” to protect its own data, while cutting costs and corners with respect to their customer’s data security. The 30-page complaint also alleges Sony did not encrypt customers’ personal data and laid off a substantial portion of its Sony Online Entertainment workforce just weeks before the breach.

Two geolocation bills introduced in Senate

In an effort to prevent government and industry abuse of location data, members of Congress recently announced two federal geolocation privacy bills. The Geolocation Privacy and Surveillance (GPS) Act, introduced by Representative Jason Chaffetz (R-Utah) and Senator Ron Wyden (D-Ore.), would require law enforcement to show probable cause and obtain a warrant to track location through mobile devices.

Addressing the geolocation issue with regard to the entities aggregating the actual data, a bill introduced by Senators Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) requires: (1) the express consent of users prior to sharing geolocation data, and (2) the deletion of user geolocation data upon request.

While both bills seek to protect citizens from unwanted physical tracking, they also both rely on the presumption that the geolocation privacy is in fact desired. At least one writer argues that the bills may be undermined by promotions, coupons and other incentives encouraging consumers to make available their personal geolocation data.

Illinois updates and adds teeth to Personal Information Protection Act

An amendment to Illinois’ Personal Information Protection Act (PIPA) has passed both houses and is now awaiting the governor’s approval to become law. The amendment specifies new minimum disclosure notices that data collectors must issue in the event of a breach, and also adds civil penalties for improper disposal of personal information. The new provision requires materials containing personal information to be disposed of “in a manner that renders the personal information unreadable, unusable, and undecipherable.” Furthermore, “any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance policies and procedures” to protect the information throughout the collection and disposal process.

Any person, business or government entity may be subject to a maximum $100 penalty for each individual whose personal information is disposed of in violation of the Act, with the total penalty not to exceed $50,000 per “instance” of improper disposal. Absent from the Act is a definition of what exactly constitutes an “instance.” We will likely have to wait for the first major violation to see how the Illinois Attorney General interprets the statute’s new language.

Help for small business website security

A joint effort among the Department of Homeland Security (DHS), SANS Institute, MITRE, and many top software security experts in the US and Europe has produced a detailed list of software vulnerabilities aimed at helping businesses set up a secure website and judge potential programming errors. While the federal program has been in development for years, the costs of programming oversight has been front page news with recent cyber attacks resulting in the theft of credit card and other personal information. Included in the publicly available research is the Top 25 List of programming errors that have been exploited in many of the recent attacks. For example, the top error is not preventing SQL-injection attacks on websites, an oversight exploited by hacking group LulzSec to retrieve user names and passwords from sites such as FBI’s InfraGard program and NATO’s online bookstore.

There is hope among IT security contractors that this latest guidance by the DHS team will prompt organizations to address the real and growing threat software security poses to their operations.

If you have any questions, please contact one of the following lawyers or any member of the Privacy and Data Protection Team:

Ted Claypoole: (704) 331-4910

Stephanie Shaw: (202) 857-4509

*Special thanks to Summer Associate Dan Tracey for his contributions to this edition of the Privacy Bulletin.

Privacy Bulletin: Issue No. 59

2011-06-16T14:42:00.010-04:00

Twitter’s OPT-OUT Confirmations May Violate TCPA

A lawsuit was filed in a California federal court that claims that Twitter violated the Telephone Consumer Protection Act (TCPA). The plaintiffs in this case are asking for class action certification. The suit alleges a violation of the TCPA’s requirement that a consumer give express consent before commercial text messages are sent to a consumer’s phone. Plaintiffs allege that Twitter sent a confirmation text message to them in response to their text messages opting out of receiving further text messages from Twitter. The plaintiffs argue that Twitter’s confirmation message violated the TCPA because it was sent without the plaintiffs’ prior express consent. The plaintiffs argue that their request to opt out of any further text messaging from the defendants revoked any express consent given prior to the opt out. Text message confirmations of a request to opt out of receiving further text messages are relatively standard in the industry. In fact, the Mobile Marketing Association’s U.S. Consumer Best Practices recommends that a confirming message should be sent to the consumer.

These cases could have an impact on companies that use text messaging to communicate with consumers or as a marketing tool. A court resolution of these cases should provide valuable guidance to similarly situated firms in the future.

Senator Introduces Legislation regarding National Standard for Notifications of Data Security breach

The recent rash of security breaches, including those at Sony and Lockheed Martin, have helped to galvanize the focus of the U.S. government towards business practices regarding safeguarding consumer data and notifying the general public about data breaches. Senator Patrick Leahy, a Vermont Democrat, said in a statement: “The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”

Senator Leahy introduced a bill, known as the Personal Data Privacy and Security Act of 2011, which would set a national standard for notifying consumers of a data-breach. Senator Leahy summarized the legislation in his press release:

- Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the breach causes economic damage to consumers;

- A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security;

- An update to the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense; and

- A requirement that the government ensure sensitive data is protected when the government contracts with third-party contractors.

The current state of the law regarding data breach notification requirements is unclear and difficult to comply with because most states have a slightly different reporting requirement. Robert Holleyman, the president of the Business Software Alliance, urged Congress to pass “a single, national standard to replace the unwieldy state patchwork we have today.” The Business Software Alliance represents software makers.

Co-sponsors of this bill are Senator Chuck Schumer (D-NY), Senator Ben Cardin (D-MD) and Senator Al Franken (D-MN). We will continue to monitor the progress of this legislation through the halls of Congress.

Leahy Introduces Legislation Regarding Email Privacy

Senator Patrick Leahy (D-Vt.) also introduced legislation to update the Electronic Communications Privacy Act (ECPA), a key source of legal protection for email privacy. Leahy was the lead author of ECPA, which was enacted in 1986 to protect the privacy of American’s electronic communications. However, the electronic world has changed dramatically since the law’s enactment and the law may not adequately protect the privacy of individuals in this new world.

Senator Leahy’s bill would require a government agency to obtain a search warrant from a court any time it wants to read an email. Further, Senator Leahy states that this legislation:

- Includes new protections for Americans’ location information that is collected, used or stored by service providers, smartphones and other mobile technologies.

- Includes a provision to enhance the cybersecurity of U.S. computer networks, by allowing service providers to voluntarily disclose content to the government that is pertinent to addressing a cyber-attack involving their computer network.

- Improves law enforcement tools, including a provision to allow the government to temporarily delay notification of its access of stored electronic communications, if notification would endanger national security.

Data Breaches

In a new section of our Privacy Bulletin, we will provide information we’ve come across about recent data breaches. The following breaches have been publicized since our last Privacy Bulletin:

- Lockheed Martin confirmed that its information systems network had been attacked by hackers on May 21. The Company does not believe the breach, which was thwarted following detection, resulted in the release of any personally identifiable or other private information from its customers or employees. Lockheed is continuing to investigate the incident, which may be related to a data breach that occurred at RSA Systems in March.

- Hackers breached a European server belonging to the computer manufacturing company Acer the weekend of June 4th. The incident may have compromised the data of approximately 40,000 customers from its Packard Bell unit in Europe.

- In early June 2011, Citigroup announced that during routine monitoring it uncovered that the data of approximately one percent of its 21 million North American credit card customers had been breached. Citigroup noted that its customers' account information (such as name, account number and contact information, including email address) was accessed, but the customers' social security number, date of birth, card expiration date and card security code (CVV) were not compromised. Accordingly, Citigroup does not believe that the data breach revealed sufficient information to perpetrate fraud, but the company will monitor accounts and re-issue credit cards to affected customers.

- On June 8, the International Monetary Fund told staffers that the organization’s computer network was subject to a sophisticated cyberattack. As reported by the New York Times, which cited unnamed IMF officials in its discussion of the significance of the incident, the scope of the attack is still being investigated and its full ramifications are unknown. The IMF has not publicly announced details of the attack, but confirmed an investigation was underway.

- Honda Canada announced in May 2011 that hackers had accessed a Web server that held the 2009 information for about 280,000 of its customers. Officials at Honda said they detected the breach after noticing “an unusual volume of usage in the myHonda and myAcura Websites.” It has been reported that a class action lawsuit, seeking $200 million in damages against Honda was filed in Oshawa, Ontario.

Upcoming Deadlines

HIPAA Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act

Interested individuals may submit comments on the Department of Health and Human Services’ Notice of Proposed Rulemaking to modify the Health Insurance Portability and Accountability Act of 1996 Privacy Rules standard for accounting disclosures of protected health information by August 1, 2011 to http://www.regulations.gov/ (search for Proposed Rule). For Womble Carlyle’s coverage on this Notice of Proposed Rulemaking, please review our Client Alert.

Proposed Changes to HIPAA Accounting of Disclosures Provision and Proposed New Access Report Requirement

2011-06-08T13:50:00.002-04:00

On May 31, 2011, the U.S. Department of Health and Human Services (“HHS”) published a proposed rule regarding the provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) concerning accounting of disclosures of electronic protected health information (“PHI”). The proposed rule contains two main parts: (1) modifications to the existing accounting of disclosures requirements and (2) a new “access report” requirement.

Under this proposed change, covered entities would be responsible for keeping track of which business associates have designated record set information; obtaining such information from business associates and incorporating it into the access report; and aggregating into a single access report all of the electronic designated record set information that covered entities may have in a number of distinct systems that maintain separate access logs. Comments regarding HHS’ proposed rule may be submitted until August 1, 2011.

Click here for a Womble Carlyle Client Alert with more background on this proposed change.

If you have questions regarding this proposed rule, please contact Sarah Crotts or Jill Girardeau.

No Place to Hide: First Amendment Protection for Location Privacy

2011-06-02T15:52:00.002-04:00

The place you stand on the earth can speak volumes about you. Are you at home or at work? Are you in a meeting of political radicals or dining at an expensive restaurant? Are you peeking into a neighbor’s window or accepting an award for your contributions to humanity? Are you deep in the woods or lost in a crowd? Given the lack of public discourse on the subject, it seems that most Americans are not concerned about the privacy of their location. But the ability of family, friends, employers and the government to know where you are at any given moment is increasing dramatically with modern technology, and this loss of location privacy is affecting your fundamental rights under the Constitution.

Click here to continue reading...

-- Ted Claypoole

EEOC Regulations Spotlight Social Media

2011-05-24T10:42:00.001-04:00

Does your human resources staff dig into MySpace, snagging pictures of applicants at bong parties and finding admissions of employees stealing boxes of copy paper? Does your manager learn about the latest office pregnancy or skiing accident on Facebook? Is social media an official information source for your company?

If so, the EEOC is aiming to regulate your company’s use of social networking sites, especially as it relates to health data.

The EEOC commentary comes in the form of new anti-discrimination regulations and some interpretive guidance by the EEOC’s top lawyer. For several years the EEOC has cautioned of what one official has called “the snowballing problem” of potentially discriminatory hiring practices in the Internet era. Use of social media in particular creates further issues, as an employer may become aware of an individual’s protected characteristics such as marital status, sexual orientation, religious affiliation, or political activities.

The EEOC’s concerns are evidenced in long-awaited regulations implementing GINA (the federal Genetic Information and Nondiscrimination Act). The EEOC recognizes that advances in technology have made it possible for employers to obtain vast and varied information about employees and potential hires, including family medical history and medical conditions. This access creates significant compliance issues, as GINA not only prohibits employers from discriminating against employees and job applicants but also prohibits employers from acquiring employees’ genetic information.

Addressing this issue, the EEOC decided that the sharing of information over Facebook, Twitter, and other social networking sites is analogous to discussing such matters around the water cooler – with management in earshot. This scenario falls within the “inadvertent acquisition” exception to GINA’s prohibition on the employer’s acquisition and possession of employees’ genetic information.

Even if the acquisition of genetic information on social networking sites is not purposeful, employers must still address the significance of having obtained that information – which may be uncovered in the course of a routine background check of a potential hire. In a recent interview, P. David Lopez, general counsel for the EEOC was asked “What are the big, cutting-edge discrimination issues facing the EEOC?” Mr. Lopez responded “We’re going through difficult economic times right now. It’s important to identify discriminatory hiring practices and policies that are excluding people unlawfully from the workplace.” Questioned further, he was asked “With so much information available online about virtually everyone, how much checking should an employer do before making a hiring decision?” He answered “I think they need to be very cautious doing online background checks.” He further advised that “The employer should examine how it recruits and hires new people. Once you start digging, it’s not always passive.” The Houston Chronicle, April 8, 2011.

The take-away? Employers should implement clear procedures for social media use in screening job applicants and avoid rogue searching. An employer in the possession of information about applicants’ or employees’ protected characteristics may face the challenge of establishing that employment decisions were made without regard for that information. A structured process with a division of duties between human resource professionals trained in the use of social media screening and managers making employment decisions offers one means of risk reduction. Such a division permits relevant information to reach decision-makers without unnecessary “inadvertently acquired” material obtained from social media sites.

Should you have any questions about the contents of this alert, please contact Mary Windham, Ted Claypoole or Stephanie Shaw or any of Womble Carlyle’s Privacy and Data Protection or Labor & Employment lawyers.

Privacy Bulletin: Issue No. 58

2011-05-20T11:22:00.016-04:00

India Enacts Final Privacy Rules which may Impact U.S. Companies that Outsource

India released its final privacy rules in four parts that went into effect April 13, 2011. These rules could have a significant impact on businesses that transact business in India, those businesses that outsource business activities to India or have subsidiaries or affiliates based in India that perform various back-office functions and other business activities.

The rules have requirements for the storage and use of “sensitive personal data or information,” which includes certain financial and health data such as bank account details, credit or debit card account details, physical, physiological and mental health conditions, and medical records. There are also rules impacting the transfer of “sensitive personal data or information” between companies in India or between entities in India and entities outside of India. These requirements may apply not only to Indian citizens but to foreign citizens as well. Thus, these rules could impact a wide variety of U.S. businesses that outsource to India. For example, many financial service providers outsource certain loan application functions to India companies or to subsidiaries or affiliates based in India. Many companies have customer call centers based India who may handle customer billing issues that may also be impacted.

This piece only touches on some parts of the rules put in place by the Indian government. What remains to be seen about these rules is how the rules will be enforced by the Indian government. All businesses transacting business in India, or who outsource functions to Indian companies or have subsidiaries or affiliates in India with access to the information governed by the rules should ensure that each is complying with these new rules. Links to the four sets of rules: data security safeguard rules, guidelines for cyber cafes, intermediaries guidelines, and electronic service delivery rules.

DO-NOT-TRACK Legislation Introduced in Senate

On May 9, 2011, Senator John D. Rockefeller (D-W.Va.) introduced “do not track” legislation that would allow consumers to block Internet companies from following their activity on the Web. The “Do-No-Track Online Act of 2011” (S. 913) would give the Federal Trade Commission authority to draft specific rules about (i) how and when consumers could register their choice to be tracked by providers of online services or through providers of mobile applications and services, and (ii) rules that prohibit those providers from collecting personal information when a consumer has opted not to be tracked. The FTC and state attorneys general would be responsible for enforcing the law.

“Recent reports of privacy invasions have made it imperative that we do more to put consumers in the driver’s seat when it comes to their personal information,” Sen. Rockefeller said in a statement. . Womble Carlyle’s Privacy blog has covered recent allegations of privacy investigations such as Apple’s alleged collection and retention of precise location data through its iPhone product and Sony Corp.’s reported breach exposing the personal data of more than 100 million of its online video game users (See Privacy Bulletin: Issues 57 and 55).

Along these lines, Senator Al Franken (D-MI) recently held a hearing to review this location-based data. “Consumers have a fundamental right to know what data is being collected about them,” Sen. Franken said, as reported on Bloomberg Business Week.. “And yet reports that the information on our mobile devices is not being protected in the way it should be.” Testifying in this hearing were, among others, the FTC, the Department of Justice, Google, Inc., and Apple, Inc. Copies of the witnesses written testimony is available online.

Washington Enacts Bill Restricting Access to Juvenile Records

On May 12, Governor Christine Gregoire (D-Wash.) signed House Bill 1793, which restricted access to juvenile records into law. Effective July 22, 2011, the bill prohibits credit reporting agencies from generating consumer reports that contain juvenile records when the subject of the records is twenty-one years old or older at the time of the report. In an attempt to balance the public’s right to information with the goal of rehabilitating juvenile offenders and reintegrating juvenile offenders into society by keeping their records private, the act provides several instances when juvenile records can be used in credit reports. These instances include use in connection with credit and life insurance transactions in excess of fifty thousand ($50,000) dollars and use in employment investigations in excess of twenty thousand ($20,000) dollars. The Act also amends certain provisions related to the sealing of juvenile records and establishes a joint legislative task force which is tasked with determining how to cost-effectively restrict public access to juvenile records when an individual has met statutory requirements and reporting its findings and recommendations to the governor and legislature by December 15, 2011.

ACLU Asks for More Information on Michigan State Police Use of “Data Extraction Devices”

The American Civil Liberties Union has requested information from the Michigan State Police over its use of “data extraction devices,” reports CNet. It was alleged that the Michigan State Police are using these devices on motorists the Police pull over. “Data extraction devices” can download text messages, photos, videos, and even GPS data from many brands of cell phones.

The Michigan State Police responded to this request by stating that it is not using these devices during routine traffic stops but only use the devices when it has obtained a search warrant or had the consent of the cell phone owner, CNet reports. CNet further reports that the State Police further stated that, "the MSP does not possess DEDs that can extract data without the officer actually possessing the owner's mobile device. The DEDs utilized by the MSP cannot obtain information from mobile devices without the mobile-device owner knowing."

The ACLU later stated that it was not accusing the Michigan State Police of wrongdoing but was still seeking further information on the Police’s use of these devices.

Indiana Enacts Bill Extending Do Not Call to Cell Phones and VoIP and Instituting other Consumer Protection Programs

On May 13, Indiana Governor Mitch Daniels (R) signed House Bill 1273, an Act to amend the Indiana Code concerning trade regulation. Among the many amendments contained in the bill, the Act amended the Do Not Call provisions enacted in connection with the National Do Not Call List to include phone calls places to mobile telecommunications services, VoIP subscribers, and prepaid wireless calling services. Effective immediately, the law allows Indiana residents to register any wireless or VOIP telephone number associated with their residential addresses or a prepaid wireless number that is used primarily in Indiana. The definition of a “telephone sales call” was broadened to include text messages sent to a wireless phone number and thus prohibits the sending of solicitations by text to numbers that are on the Do Not Call list. Violators of the law are subject to the same penalties, including fines up to ten thousand dollars ($10,000) for the first violation and twenty-five thousand dollars ($25,000) for subsequent violations, as those who call a registered landline.

In addition the Do Not Call provisions, the Act also made other consumer protection changes including, for example, clarifying that a violation of the federal Fair Debt Collection Practices Act as well as other state consumer protection statutes constitutes a violation of the state provision on deceptive consumer sales and requiring that specific information is collected and stored about residential mortgage and real estate transactions.

Privacy Bulletin: Issue No. 57

2011-05-05T11:54:00.002-04:00

Maryland Enacts Credit History Bill; Takes Up Health Privacy

The Maryland Legislature has been active in the Privacy arena, passing the Job Applicant Fairness Act (SB 132/H.B. 87), which was signed into law by Governor Martin O’Malley on April 12 and moving forward on legislation which would require the Maryland Health Care Commission (“MHCC”) to develop regulations focused on the privacy and security of protected health information transmitted via a health information exchange (SB 723/HB 784).

Effective October 1, 2011, the Job Applicant Fairness Act prohibits employers from using an applicant’s or employee’s credit report or history in determining whether to (i) hire the applicant, (ii) fire the employee, (iii) or determine employee compensation or other terms, conditions, or privileges of employment. The bill is applicable to all employers excluding employers who are required to inquire into an employee or applicant’s credit report or history by law, financial institutions who accept federally insured deposits, a credit union share guaranty corporations, or entities that are registered with the SEC as an investment advisor. In addition, the bill contains provisions which authorize an employer to request or use an employee’s credit report in specific instances, such as when the employer has a bona fide purpose that is substantially job-related for requesting or using a credit report and discloses such request in writing to the affected individual. Violations of the act may be reported to the Commissioner of Labor and Industry who may resolve the matter informally or assess civil penalties up to $500 for an initial violation or $2,500 for a repeated violation. With the passage of this law, Maryland is one of four other states that have laws limiting the use of credit data for employment purposes.

The Maryland Legislature also concurrently sent identical House and Senate bills to Governor O’Malley for approval that would require the MHCC to adopt regulations governing privacy and security that would ensure that personal health information transmitted via a health information exchange is protected consistent with the federal Health Insurance Portability and Accountability Act. If enacted, the law would prohibit the sale of data obtained or released through a health information exchange until regulations are adopted by MHCC and would require the MHCC to adopt regulations that promote technology standards that conform to the standards of the Office of the National Coordinator for Health Information Technology and limit the scope of clinical information to information that is exchanged to purposes that promote improved access to clinical records or uses of the state designated exchange important to public health agencies. Governor O’Malley has until May 31 to sign or veto this measure, which would be effective October 1, 2011, if enacted.

PlayStation Data Breach Puts 77 Million Customers at Risk

Most gamers wouldn’t think their personal, confidential information could be compromised simply by playing a video game online. But an attack on Sony’s PlayStation Network, as reported on TheHill.com, may impact up to 77 million consumers worldwide.

The extent of the breach has yet to be fully determined. But Sony confirmed that user account information was compromised, including users’ names, addresses, email addresses, birthdates, passwords, and logins. Perhaps most damaging is the possible exposure of credit card numbers. Sony said that while it does not believe that its customers’ credit card numbers were compromised, it cannot rule out that possibility.

Sony has come under some criticism for waiting more than a week to inform customers of the data breach. It is alleged that the lag in reporting could give the hackers more time to potentially exploit stolen customer information. Senator Richard Blumenthal (D-CT) sent Sony a letter criticizing the company for its failure to inform its customers.

As a result of this security breach, Sony reportedly has shut down its servers and hired an outside firm to strengthen its security protections. So far, Sony has not provided any details as to how the breach happened. The Chicago-Sun Times reports that the FBI is investigating.

This incident has already launched a lawsuit against Sony. The first class-action lawsuit was filed by Kristopher Jones of Alabama in the United States District Court for the North District of California. The lawsuit accuses Sony of breach of warranty, negligent data security, and violations of consumers’ rights of privacy. Given the scope of the breach, it seems inevitable that more lawsuits will follow.

On May 3, 2011, Sony communicated that a second breach had taken place April 16-17, before the PlayStation intrusions. Sony said that hackers may have stolen about 12,700 credit or debit card numbers (but not credit card security codes) of users in other countries outside the United States and about 10,700 direct debit records of customers in Austria, Germany, Netherlands, and Spain.

U.S. Supreme Court Examines Prescription Privacy Laws in Connection with Data Mining

On Tuesday, April 26, 2011, oral arguments were heard before the Supreme Court in Sorrell v. IMS Health Inc. on whether a Vermont law prohibiting the sale of raw patient data by pharmacies to data mining companies constitutes an impermissible restriction on commercial speech. Vermont passed its law in 2007. The state claimed it was protecting patient privacy and stopping an unwanted “data mining” practice. The drug companies challenged the state law on the grounds it violated the First Amendment by restricting commercial speech.

In Vermont, it was alleged that pharmacies collected information on patient drug prescriptions, and then sold that raw data (redacting personal information about the patients) to data collection agencies. The collection agencies then sold the information to pharmaceutical companies, which used that data to drive their marketing decisions.

The Vermont law was upheld at the District Court level but was found to be an impermissible restriction on commercial speech by the U.S. Court of Appeals for the Second Circuit. Should the Supreme Court rule in favor of the state, it is likely that other state legislatures will pass similar restrictions on prescription data mining. Both Maine and New Hampshire enacted similar laws; both of these statutes were also challenged in court and are in various stages of adjudication.

Womble Carlyle will continue to monitor this case and its potential impact on the number of companies that collect and sell consumers’ personal information.

Texas Agency Accidentally Exposes Personal Data of 3.5 Million

Texas State Comptroller Susan Combs recently said her office inadvertently exposed personal information—including Social Security numbers—of approximately 3.5 million people on its public Web site. The information was exposed for close to a year before the breach was discovered. Most of the people affected were state employees or retired state workers.

Combs' office is offering one year of free credit monitoring to the affected individuals to ensure their accounts aren’t being misused. Combs’ campaign fund (not the state) will pay to restore the identity of anyone whose information is misused as a result of the breach. A special Web site, http://www.txsafeguard.org/, and toll-free number have been set up to answer questions and respond to inquiries.

On April 29th, Thomson Reuters reported that the first class action lawsuit was filed over this privacy breach and it appears another lawsuit may be imminent.

“I am deeply sorry this incident occurred and I take full responsibility for it,” Combs said in her April 28th press release. “This incident has affected the lives of Texans that I have dedicated my life to serving, and I am determined to restore their faith in the Comptroller's office. That's why we are taking additional actions to assist those who were affected and implementing new policies and procedures to help ensure this never happens again.”

Senate to Hold Hearing on iPhone, Android Collection of User Data

Senator Al Franken (D-Minn.) announced that he will hold a Senate Judiciary Subcommittee on Privacy, Technology and the Law hearing on Apple and Google’s collection of consumer data via the iPhone and smart phones using Google’s Android system. According to recent media reports, some iPhone and Android users are reporting that their locations are being tracked. The hearing is scheduled for May 10th. Representatives from Apple and Google have been invited to appear.

“The same technology that has given us smart phones...has also allowed these devices to gather extremely sensitive information about users, including detailed records of their daily movements and location,” Franken said. Yahoo News also reported that Illinois Attorney General Lisa Madigan expressed similar concerns in a separate letter.

This is not Franken’s first inquiry into this issue. In a letter to Apple’s Steve Jobs dated April 20, 2011, Franken asked why the company was “secretly compiling” the data and what it would be used for. Franken’s letter further emphasized that this information is stored in an unencrypted format, which as a result makes it more susceptible for a malicious person to access this data. In addition, the letter raised serious concerns about the millions of children and teenagers who use iPhone or iPad devices.

NLRB Announces Another Settlement Protecting Employee “Facebook Complaints”

2011-05-04T16:58:00.002-04:00

The NLRB was not joking – complaints about your boss on Facebook could be protected speech in the employment context.

On April 27, 2011 the NLRB publicized settlement of a charge brought by a former employee of a web-based home improvement retailer operating out of Chico, California discharged after posting comments about the company to her Facebook page. The April 27, 2011 press release does not provide details of the employee’s comments. However, it quotes Regional Director Joseph Frankl, who expressed satisfaction that “the employer has recognized the rights of its employees to use social networking sites to comment about their working conditions.” The release also describes settlement terms and explicitly notes that the employees in this case were not represented by a union.[1]

This settlement was announced on the heels of the highly publicized unfair practices settlement with ambulance service provider American Medical Response of Connecticut, Inc. (“AMR”). The AMR complaint alleged that AMR illegally terminated an employee who called her employer a mental patient in a Facebook post in violation of the company’s social media policy. On February 8, 2011 the NLRB issued a press release highlighting the terms of the settlement protecting the employee’s right to Facebook gripes about her employer.

By issuing press releases announcing the filing and settlement of complaints arising from employee discipline for Facebook postings the NLRB has brought social media cases into national prominence. The Board’s communications signal that the NLRB has a heightened interest in social media and other policies that restrict employee communications. Its current focus raises questions as to how employers may permissibly seek to reduce the risk that employees’ off-duty social media activity may damage their reputations or expose them to liability.

Some guidance may be found by review of the NLRB complaint against AMR. The complaint alleges that the company maintained overly-broad rules in its employee handbook regarding blogging, Internet posting, and communications between employees. A portion of that employer’s “Blogging and Internet Posting Policy” quoted in the complaint read as follows:

Employees are prohibited from making disparaging, discriminatory, or defamatory comments when discussing the Company or the employee’s superiors, co-workers, and/or competitors.

As reported by the NLRB in its November 2, 2010 News Release from the Office of the General Counsel, an NLRB investigation found that the employee’s Facebook postings constituted protected concerted activity, and that the provisions of the company’s blogging and Internet posting policy set forth above contains unlawful provisions. (The release does not contain further detail of what specific policy language the Board considered to be unlawful). The NLRB News Release of February 7, 2011, specifies that under the terms of the settlement, the company agreed to “revise its overly-broad rules to insure that they do not improperly restrict employees from discussing their wages, hours, and working conditions with co-workers and others while not at work, and that they would not discipline or discharge employees for engaging in such discussions.” In the build.com case, the employer agreed to post a notice at the workplace for 60 days stating that employees have the right to post comments about the terms and conditions of their employment on their social media pages, and that they will not be terminated or otherwise punished for such conduct.

The NLRB confirmed its intention to continue pursuing employees’ social media rights in a March 16, 2011 teleconference reviewing recent Board decisions and regulatory actions. Accordingly, employers should carefully review their social media policies. Should they contain provisions similar to that which the Board has deemed “overly-broad,” statements may be added that in no event is protected activity prohibited. In addition to the use of a disclaimer, examples of prohibited and protected activities and speech may be added to minimize ambiguity.

[1] Employers without a unionized workforce may not pay close attention to the decisions of the NLRB, presuming that they do not apply to them. But often they do, as Section 7 of the NLRA guarantees that all employees – regardless of union status – have the right to engage in “concerted activities for the purpose of . . . mutual aid or protection.”

Privacy Bulletin: Issue No. 56

2011-04-18T12:06:00.005-04:00

In a bipartisan effort to address privacy issues, on April 12, 2001, Sen. John Kerry (D-Ma) and Sen. John McCain (R-Az.) introduced “The Commercial Privacy Bill of Rights Act of 2011” (SB 799). Applicable to any person who collects, uses, transfers or stores personally identifiable information (“PII”), unique identified information (“UII”), or other related information that may be reasonably used to identify a specific individual concerning more than 5,000 individuals during any consecutive 12-month period, the bill set forth three privacy rights such information collecting entities should follow in designing their privacy policies:

The Right to Security and Accountability

Security measures to protect covered information must be implemented by each affected person.

The Right to Notice, Consent, Access, and Correct Information

Clear notices must be provided to individuals about collection practices and the purpose for such collection.
Information collectors must provide individuals with the ability to opt-out of information collection and provide opt-ins for the collection of sensitive PII.

The Right to Data Minimization, Distribution Constraints, and Data Integrity

Information collectors would be required to collect only as much information as necessary to process or enforce a transaction or deliver a service or use the information for research purposes to correct and improve the transaction or service.
Information collectors must contract with third parties to ensure that any information transferred to third parties maintains the same protections required by the Act and that the information is not combined by the third party with other information in order to identify the individual.

In addition to the above privacy rights, the bill also includes provisions that direct the State Attorneys General and Federal Trade Commission (“FTC”) to enforce the bill’s provision, provided that there is no simultaneous enforcement by both and allow the FTC to approve nongovernmental organizations governing of voluntary safe harbor programs that, if joined, would exempt participants from some of the bill’s provisions. The bill would also prevent private rights of action to enforce its provisions and direct the Department of Commerce to coordinate the development of safe harbor programs by conveneing stakeholders.

Increased Email Fraud Expected Following Epsilon Data Breach

On April 1, 2011, Epsilon, one of the largest permission-based email marketing providers, notified its clients that it detected an unauthorized entry into its email system on March 30. Epsilon’s investigation estimated that approximately 2 percent of Epsilon’s clients were affected and that only email addresses and/or an individual’s name were breached. However, the clients affected in the 2 percent of Epsilon’s estimated 2,500 customers include numerous large corporations that fall into a wide-range of industry sectors. A list of all companies affected by the breach can be found here. As the list sounds like a who’s who of businesses, affected companies are warning consumers to beware of email phishing, increased spam, email fraud and other email scams. Epsilon’s parent company, Alliance Data, is working with federal authorities to further investigate the security breach and will implement any necessary additional security safeguards. It is likely that complete effect of the security breach will not be realized for several months, but any consumers who receive suspicious emails should report such emails to the related company and local authorities.

Google Agrees to 20-Year Privacy Audit Program in Proposed Settlement with FTC

Following allegations that Google used deceptive tactics and violated its privacy policy and its adherance to the EU Safe Harbor by automatically enrolling users and making users previously private profile information searchable and followable in connection with the launch of its social networking platform Buzz, the company entered into a landmark proposed Consent Agreement with the Federal Trade Commission.

As part of the settlement, Google is prohibited from misrepresenting the privacy or confidentiality of its users information and its compliance with its privacy policies and the U.S.-E.U. Safe Harbor. In addition, Google must obtain its users’ consent before sharing their information with third parties if Google modifies its privacy practices contrary to what was in place when the user’s information was collected. Finally, the settlement requires Google to set-up a comprehensive privacy program and have audits conducted every two years for the next twenty years to assess the company’s privacy and data protection practices and confirm compliance with their policies. In connection with its release of the proposed Consent Agreement, the FTC also released an analysis of the proposed consent order and is accepting public comment until May 2, 2011.

The FTC’s requirement for Google to implement a comprehensive privacy program is believed to be the first of its kind. The settlement may start a trend toward the affirmative implementation of privacy programs in the face of allegations of privacy violations and force companies to design privacy mechanisms in their product and service offerings. In fact, in subsequent comments, the FTC has indicated that adopting a comprehensive privacy program that follows the best practices stated in the order is a sound idea for all companies. Those interested in submitting electronic comments on the proposed consent decress should use the following link https://ftcpublic.commentworks.com/ftc/googlebuzz Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

NJ Feds Allegedly Investigating Privacy Violations of Smart Phone Applications

Following Pandora Media’s April 4 comments in a filing with the U.S. Securities and Exchange Commission that it was subpoenaed for information concerning information-sharing practices by Apple, Android, and other smart phone applications, the Wall Street Journal has reported that federal prosecutors in New Jersey are looking into whether smart phone applications that illegally obtained or transmitted user information is a violation of the Computer Fraud and Abuse Act. This federal investigation comes on the heels of earlier civil class action lawsuits filed by individuals who claim that smart phone applications they downloaded transmitted their personal identifying information to advertisers without consent and a Wall Street Journal article that examined 101 popular smart phone applications and found that more than half sent the device’s unique device identified (“UDID”) or personal details like age and gender to other companies without the user’s awareness or consent. It is unclear which companies are the specific target of the federal investigation (Pandora indicates they were not a specific target of the investigation), but the subpoena could potentially lead to further action by New Jersey and the FTC in the face of complaints of unfair and deceptive trade practices.

Netflix Faces New Class Action Lawsuit Related to Retaining Customer Records

A recent lawsuit filed in California alleges that the popular video rental service violated federal and state law by not destroying records containing personal customer information after those customers cancelled their service. The plaintiffs allege that Netflix improperly retained data relating to both the customers’ payment information and viewing habits. Netflix uses these metrics to recommend similar movies that customers may like, and these personalized recommendations have been an important part of the company’s service model.

But the plaintiffs allege keeping data from former subscribers violates the federal Video Privacy Protection Act, which makes it illegal for companies to disclose customer videotape rentals or purchases. They also claim Netflix violated a California state law that protects customer records.

Last March, Netflix settled a class action suit brought on similar grounds. This time, the plaintiffs are seeking up to $5,500 for each alleged violation. Given that the case was filed on March 11, 2011, the litigation is just beginning and no decision on class certification has yet occurred. Womble Carlyle will be monitoring this case and its potential impact on subscription-based companies that collects customer data.

Social Media Promotion Backfires on Chicago Business

Today many businesses are using social media outlets, such as Twitter, Facebook and LinkedIn, to reach customers and clients. But as indicated by a recent lawsuit filed against one Illinois company, companies are still navigating the proper way to use these tools and protect privacy rights.

A former employee of the Susan Fredman Design Group, a Chicago-based interior design firm, has sued her ex-employer alleging that the company impersonated her on her personal Facebook and Twitter accounts, using those posts to promote the company’s business.

The employee, Jill Maremont, created social media content for the company as part of her job. But while she was in the hospital following a serious auto accident, posts promoting the company still appeared under her name on her personal accounts – posts Maremont says she didn’t write. In the complaint, Maremont says she asked her co-workers to stop impersonating her online, but they continued to do so. The case (Maremont v. Susan Fredman Design Group) is currently being heard in the U.S. District Court, District of Northern Illinois. On March 15th, a judge granted in part and denied in part the defendant’s motion to dismiss.

The lesson here seems obvious, but it bears repeating: businesses should draw a bright line between professional social media accounts designed to promote the business and employees’ personal accounts.

Borrowed Rental Car Carries No Claim to Privacy

If you drive a rental car, but your name is not on the rental agreement, do you have a legitimate claim to privacy if police want to search the car? The U.S. Court of Appeals for the Third Circuit says no. The Court ruled that a person who borrows a rental car has no standing to challenge a search of the car.

The case (United States v. Kennedy) stemmed from the arrest of Shamone Kennedy in Philadelphia. Police impounded the rental car Kennedy had been driving, which had been loaned to him by his girlfriend. When they searched the car, officers found two guns and 200 grams of cocaine. Police then charged Kennedy with additional counts related to this discovery.

Kennedy’s attorneys said the search and seizure was improper. But a U.S. District Court said that since Kennedy wasn’t listed on the rental agreement as a driver of the car, he had no legitimate expectation of privacy and denied the motion. On March 16th, the Court of Appeals upheld that ruling.

Privacy Bulletin: Issue No. 55

2011-03-21T10:04:00.001-04:00

Companies that make their money in the mobile computing space – application developers, device manufacturers, software adaptors – have a new worry. Many functions and applications used on iPhone devices currently rely on reporting that includes the UDID unique device identifier. Two new lawsuits against Apple for its use of UDID information may change the way that mobile functions and applications are built, managed and paid for.

The UDID for the iPhone is a 40 character identifier that is set by Apple and stays with the specific defined device forever. Its function is to uniquely identify any one iPhone, allowing the UDID to be connected with the name and behaviors of that iPhone’s user.

The Wall Street Journal may have started the snowball of lawsuits rolling in its ongoing series of articles about how the computer industry tracks people using the internet. The Journal’s investigation examined 101 popular smartphone applications (“Apps”) and found that 56 of them sent the UDID for their smart phones to other companies without the user’s awareness or consent. Five of the Apps transmitted personal details of the user like age and gender.

Because each UDID is specific to each iPhone, it cannot be shut down or suppressed by users in the way that cookies may be deleted on laptop or desktop computers. The suits against Apple complain that releasing this information without the user’s consent or knowledge violates a number of U.S. federal and state laws including the Electronic Communications Privacy Act.

The complaint in one of the lawsuits stated: “Apple’s privacy policy is opaque and confusing, but one thing is clear: it does not inform mobile device users that by providing application developers with their UDID, Apple enables them to put a name to highly personal and in many cases, embarrassing information, derived from app downloading activity and usage, and Internet browsing history, that would otherwise be anonymous.”

Womble Carlyle will be following these and other mobile privacy cases closely and will keep you informed as the courts make decisions that could affect the business models for mobile computing.

Privacy Bulletin: Issue No. 54

2011-03-09T15:51:00.001-05:00

Feds crackdown on HIPAA Privacy Rule Violations, Issue Huge Fines

At the end of February, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two press releases concerning million dollar HIPAA Privacy Rule violations. Under the HIPAA Privacy Rule, health plans, health care clearinghouses and covered health care providers are required, subject to both civil and criminal penalties, to protect the privacy of patient information through the use of constant administrative, physical and technical safeguards. In a February 22 press release, OCR announced its imposition of a $4.3 million civil penalty for Cignet Health’s (Prince George’s County, MD) violation of the HIPAA Privacy Rule, which marked the first civil money penalty issued by HHS for HIPAA Privacy Rule Violations. Cignet Health was found to have willfully neglected its duty to comply with the Privacy Rule. Two days later, on February 24, OCR announced in a press release a $1 million settlement with Massachusetts General for alleged violations of the HIPAA Privacy Rule. The settlement payment arose from an OCR investigation following Massachusetts General’s loss of the protected health information (“PHI”) of 192 patients. The investigation indicated that Massachusetts General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI. In connection with the settlement, Massachusetts General also agreed to enter into a Corrective Action Plan to develop, implement, train and enforce privacy policies that ensure PHI is protected. The ramifications of both incidents should serve as a reminder for businesses in the healthcare sector responsibility to protect their pateints' privacy. As noted by OCR Director Georgina Verdugo, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPPA Privacy and Security Rules.”

Supreme Court Holds Corporations do not have Personal Privacy for purposes of FOIA Exemption

In interpreting a provision of the Freedom of Information Act, the Supreme Court held that corporations are not entitled to personal privacy rights that protect the release of sensitive information. See FCC v. AT&T, No. 09-1279 (March 1, 2011). As a result, AT&T could not prevent release of documents compiled during an FCC investigation into whether the company overcharged for the use of the Internet. The Supreme Court ruling overturned a 3rd Circuit opinion which supported AT&T’s position that corporations were covered by Exemption 7 of the Freedom of Information Act, which prevented disclosure of information that would cause an unwarranted invasion of personal privacy. AT&T’s argument focused on the definition of the term person, which the 3rd Circuit said was often defined in the law to include partnerships, associations, and corporation. Writing for the Court, Justice Roberts disagreed and noted that the word personal was not often used to refer to corporations and frequently used to mean exactly the opposite of a corporation. With this ruling, corporations can’t claim protection under FOIA exemptions related to personal privacy.

Obama Signs USA PATRIOT Act Extension

President Obama signed the FISA Sunsets Extension Act (Public Law No. 112-3) into law on Friday, February 25, three days before provisions of the PATRIOT Act extended by the bill were set to expire. The bill extends until May 27, 2011, two privacy provisions of the PATRIOT ACT related to the United States’ ability to access business records and conduct “roving wiretaps” and a provision from the Intelligence Reform and Terrorism Prevention Act, known as the “lone-wolf” provision related to the FBI’s ability to monitor terrorists. Specifically, the law extends the sunset provisions for Section 215 of the PATROIT Act which allows the FBI to obtain an order for “any tangible thing related to a terrorism investigation, including a firm’s customer records” and Section 206 of the PATRIOT ACT which allows law enforcement to attach a wiretap warrant to a suspect, rather than a specific phone. The law also extends Section 6001 of the Intelligence Reform and Terrorism Prevention Act (the “lone wolf” provision) which broadens the definition of “agent of a foreign power” to include individuals who act alone in international terrorism within the United States. With only a three-month extension, Congress will likely soon begin debate on a possible multi-year extension of the provisions and amendments to the Act.

Illinois Court Found No Employer Duty to Protect Health Records

A Chicago appellate court held that a school district was not liable for inadvertant disclosure of employee health information under HIPAA or common law duty. The district disclosed an insurance enrollment list that contained the names of 1,750 former employees, along with their addresses, Social Security numbers, marital status, medical and dental insurers and health insurance plan information, then acted responsibly to attempt to clear up the disclosure. The employees whose names were revealed filed a class action suit against the school district, arguing that the school district owed a HIPAA duty to safeguard their personal information. They also sued under state statute and common law duties. The court ruled in favor of the district and found no statutory duty to safeguard the employees’ personal information. Under HIPAA, health records held by a covered entity in its role as an employer are excluded from the safeguard rule. Cooney v. Chicago Public Schools (IllAppCt) at ¶100-519

Womble Carlyle to Participate in IAPP 2011 Global Privacy Summit

2011-03-07T15:23:00.001-05:00

Washington, D.C. — More than 1,500 privacy professionals from around the world will gather in Washington, D.C. for the International Association of Privacy Professionals (IAPP) Global Privacy Summit on March 9-11, 2011. The Summit, taking place at the Washington Marriott Wardman Park, will draw leading privacy, security and data protection professionals to network and discuss cutting edge privacy issues. Womble Carlyle’s Privacy and Data Protection Team will participate as an Exhibitor in the Summit.

Among those representing the firm’s Privacy and Data Protection Team at this year’s Global Privacy Summit are Ted Claypoole, Eric Breisach, Stephanie Shaw, and Jennifer Williston. Womble Carlyle’s attendees will join the community of global privacy professionals to share insight on various privacy issues, discuss challenges and identify innovative solutions to help address our clients’ privacy needs.

Womble Carlyle’s multi-disciplined Privacy and Data Protection Team helps clients with comprehensive planning to safeguard their businesses with the goal of helping clients avoid privacy protection pitfalls so they can focus on their core business. Our team has backgrounds in wide-ranging areas including intellectual property, technology, data security, regulatory compliance, health information, communications, education, employment, financial services, retail, e-commerce and trade secrets. By taking a full-service approach to privacy issues, we are able to meet our clients’ diverse needs.

Founded in 2000, the IAPP is the world's largest association of privacy professionals, representing more than 6,700 members from businesses, governments and academic institutions across 52 countries. For more information, please visit http://www.privacyassociation.org/.

Privacy Bulletin: Issue No. 53

2011-02-17T12:28:00.007-05:00

California Court Holds that a Retailer’s Collection of Zip Codes Violates California Credit Card Act

On February 10, 2011, the California Supreme Court issued an opinion in Pineda v. Williams-Sonoma Stores, Inc. regarding the permissibility of a retailer’s collection of consumers’ zip codes under California law. Pineda v. Williams-Sonoma Stores, Inc., No. S178241, February 11, 2011. In this case, the plaintiff alleged that the defendant violated California’s Song-Beverly Credit Card Act of 1971. This Act prohibits businesses from requesting that cardholders provide “personal identification information” during credit card transactions and subsequently recording that information. While paying for a purchase at one of the defendant’s stores, the cashier asked the plaintiff for her zip code. The plaintiff complied, allegedly believing that her zip code was necessary to complete the transaction. The plaintiff alleged that the defendant used her name and zip code to locate her home address. The court held that a zip code constitutes “personal identification information” under the Act, and therefore the defendant violated the Act by requesting and recording the plaintiff’s zip code. Many retailers ask consumers’ to provide their zip codes at point of sale transactions. Retailers should review this practice in light of this opinion.

Franken to Chair New Senate Judiciary Subcommittee on Privacy, Technology and the Law

On Monday, February 14, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) announced the creation of a new subcommittee on Privacy, Technology and the Law, which will be chaired by Sen. Al Franken (D-MN) (see February 14, 2011 press release). Tom Coburn (R-OK) will serve as the subcommittee’s ranking member. The subcommittee is tasked with jurisdiction over:

the laws and policies governing the collection, protection, use, and dissemination of commercial information by the private sector;
privacy issues with social networking and other websites;
enforcement and implementation of commercial information privacy laws and policies; private sector privacy protection technologies;
privacy standards for the personally identifiable commercial information; and
privacy implications of emerging technologies.

Other Senators on the subcommittee include Chuck Schumer (D-NY), Sheldon Whitehouse (D-RI), Richard Blumenthal (D-CT), Orrin Hatch (R-UT), and Lindsey Graham (R-SC).

Privacy Heats Up on Capitol Hill

Three privacy bills were introduced in early February 2011. Rep. Jackie Speier (D-CA) leads the way in introducing two new bills on February 11, 2011 addressing privacy (see February 11, 2011 press release). The Do Not Track Me Online Act of 2011, H.R. 654, directs the Federal Trade Commission to establish standards for the required use of an online opt-out mechanism to allow a consumer to effectively and easily prohibit the collection or use of any covered information and to require a covered entity to respect the choice of such consumer to opt-out of such collection or use. Rep. Speier also introduced amendments to the Gramm-Leach-Bliley Act (GLB). The Financial Information Privacy Act of 2011, H.R. 653, will amend GLB to require a consumer to opt-in to allow a financial institution to share his or her nonpublic personal information with a nonaffiliated third party. This differs from current GLB in which financial institutions must provide consumers notice and an opportunity to opt-out before the institution can share a consumer’s nonpublic personal information with a nonaffiliated third party. Rep. Bobby Rush (D-IL) also reintroduced privacy legislation that he introduced last year. H.R. 611, the Best Practices Act, would apply to persons who engage in interstate commerce and who collect or store data containing “covered information” or “sensitive information” (see Wall Street Journal’s article on these initiatives).

FTC Announces Settlements with Credit Report Data Resellers Over Lax Data Security, Inadequate Breach Response

The Federal Trade Commission (FTC) released proposed administrative settlements with three credit report data aggregators on February 3, 2011. In a press release, the FTC alleges that the data aggregators allowed clients to access consumer’s credit reports without basic security measures, such as firewalls and updated antivirus software. The FTC further alleges that this lack of basic security measures allowed hackers to access more than 1,800 credit reports without authorization via the clients’ computer networks. After becoming aware of the breaches, the FTC alleges that the data aggregators did not take any steps to add security measures.

The proposed consent orders bar the respondents from violating the Safeguards Rule and require them to:

have comprehensive information security programs designed to protect the security, confidentiality, and integrity of consumers’ personal information, including information accessible to clients;
obtain independent audits of their security programs, every other year for 20 years;
furnish credit reports only to those with a permissible purpose; and
maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.

According to David Vladeck, Director of the FTC's Bureau of Consumer Protection, these cases should send other companies a message that adequate security measures must be taken in order to protect a consumer's information.

Reps. Barton and Markey Ask Facebook for Information about Making User Data Available to Third Party Websites

Rep. Joe Barton (R-TX) and Rep. Edward Markey (D-MA), co-chairmen of the House Bi-Partisan Privacy Caucus asked Mark Zuckerberg, Facebook CEO, to respond to questions about Facebook's proposed plan to make its users' addresses and mobile phone numbers available to third party websites and application developers. In a press release dated February 2, 2011, Reps. Barton and Markey announced that they asked Zuckerberg to respond to the following questions:

Would any user information in addition to address and mobile phone number be shared with third party application developers under the feature as originally planned, and was any of this information shared prior to Facebook’s announcement that it would suspend implementation of the feature?
What user information will be shared with third party application developers once the feature is re-enabled?
What was Facebook’s process for developing and vetting the feature referenced above before the feature was suspended, and what was the process that led Facebook to decide to suspend the rollout of this feature? What is the process Facebook is currently employing to adjust the feature prior to re-enabling it?
What are the internal policies and procedures for ensuring that new features developed by Facebook comply with Facebook’s own privacy policy, and does the company consider this a material change to its privacy policy?
What consideration was given to risks to children and teenagers posed by enabling third parties access to their home addresses and mobile phone numbers through Facebook when designing the new feature?
What is the opt-in and opt-opt option for this new feature?
Why is Facebook, after previously acknowledging in a letter to Reps. Markey and Barton that sharing a Facebook User ID could raise user concerns, subsequently considering sharing access to even more sensitive personal information such as home addresses and phone numbers to third parties?

These questions follow a request by the two Representatives sent to Facebook about companies allegedly gaining access to Facebook users’ personal information without their consent or knowledge.

Class Action filed against McDonald’s, CBS, Microsoft in New York for Behavioral Advertising Practices

Following the filing of a class action lawsuit against Interclick for its behavioral advertising practices, Plaintiff Sonal Bose, as a representative of the class, filed a related class action lawsuit against McDonald’s, CBS, Mazda Motor of America, and others for their engagement of Interclick to conduct behavioral advertising campaigns and engage in browser history sniffing (Bose v. McDonald's Corp., et al., Civil Action No. 1:10-cv-09569 S.D.NY). Plaintiffs alleged that Defendant’s ad campaigns were used as a cover to data mine computers of Plaintiffs to identify websites Plaintiffs had previously visited. Specifically, the Plaintiffs alleged that Defendants “used browser history sniffing to identify defendants’ competitors with whom consumers communicated” and that this information was subsequently merged into Interclick’s database and eventually resulted in the deanonymization of data in consumer profiles such that they contain consumer’s personally identifiable information. These actions, Plaintiffs allege, violate the Computer Fraud and Abuse Act; the Electronic Communication Privacy Act; New York General Business Law Section 349 and common law and, as a result, Plaintiffs are entitled to injunctive relief and applicable damages.

Upcoming Deadlines

February 18, 2011 Deadline for Commenting on Privacy Report

Comments on the Federal Trade Commissions privacy report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers” are due on February 18, 2011. The report, published on December 1, 2010, would apply a framework for consumer privacy protection for commercial entities that collect, maintain, share, or otherwise use consumer data that can be linked to a specific consumer, computer or device. The report contains a number of questions set forth by FTC staff for public comment.

February 28, 2011 Deadline for Commenting on NIST’s Draft Cloud Computing Reports

The National Institute of Standards and Technology has requested comments on two draft reports concerning cloud computing by February 28, 2011. The first report, “Guidelines on Security and Privacy in Public Cloud Computing” (Draft NIST Special Publication 800-144), provides an overview of the security and privacy challenges surrounding cloud computing and provides recommendations that organizations should consider when utilizing a public cloud environment. Comments may be sent via email to 800-144comments@nist.gov. The second report, “A NIST Definition of Cloud Computing” (Draft NIST Special Publication 800-145), restates the existing definition of NIST cloud computing as a formal NIST publication. Comments may be sent via email to 800-145comments@nist.gov by February 28, 2011. Although NIST recommendations are made to the federal government, they are relevant to private sector businesses.

Privacy Bulletin: Issue No. 52

2011-02-02T12:33:00.003-05:00

In the News
Supreme Court Finds Privacy Rights of U.S. Workers Outweighed by Government Security Interests: On January 19, 2011, the U.S. Supreme Court ruled in NASA v. Nelson, No. 09-530, that the federal government has broad discretion to make inquiries of workers and their job references. The Court overruled the 9th Circuit’s findings that questioning workers about prior drug counseling and treatment and asking their references for adverse information about them violated workers’ rights to privacy. The Court declined to address whether the questions implicated privacy rights. The Court instead focused on the government’s interest in protecting against security risks, effectively limiting its decisions to cases involving government workers. Some privacy advocates believe the case may ultimately have more far-reaching implications, especially as it comes months after the Court decided in Quon that text message searches by government agencies can be constitutionally conducted. The decision was decided 8-0, with Justices Scalia and Thomas concurring, noting that they believe that the Constitution does not protect informational privacy. Justice Elena Kagan recused herself from the case due to prior involvement in the case.

Supreme Court Considers Whether Corporations Can Invoke FOIA Privacy Provision: On January 19, 2011, the Supreme Court heard oral arguments in FCC v. AT&T, No. 09-1279 to determine whether 5 U.S.C. 552(b)(7)(C), which exempts from FOIA requirements all disclosures that could reasonably be expected to constitute an unwarranted invasion of "personal privacy," protects the privacy of corporate entities. AT&T objects to certain disclosures requested by competitor Comptel in 2005 relating to a 2004 FCC investigation of the telephone company’s billing practices. The 3rd Circuit, in finding for AT&T in the case below, held that “Corporations, like human beings, face public embarrassment, harassment and stigma because of” involvement in law enforcement investigations and should, therefore, be protected from disclosing the results of those investigations to the public.

South Carolina State Insurance Program Breached: On January 14, 2011, the state Budget and Control Board notified individuals insured by the State Employee Insurance Program that their personal information may have been breached. A computer virus attack may have compromised the personal information of up to 5,600 state employees and their dependents, officials say. A spokesman for Governor Nikki Haley said that the state Budget and Control Board had just voted to hire a new director, Eleanor Kitzman, who will ensure “something like this never happens again.”

Rep. Cohen Reintroduces Legislation to Limit Use of Credit Reports by Employers: On January 20, 2011, U.S. Representative Steve Cohen (D-Tenn.) reintroduced the Equal Employment for All Act (H.R. 321) in the House. The Act would prohibit employers from using the credit reports of employees and prospective employees to make employment decisions including hiring, promotions, transfers and terminations. The practice of using credit reports to make employment decisions has been criticized by the Equal Employment Opportunity Commission which recently filed a class action suit claiming the process violates the Civil Rights Act because it has a disparate impact on minorities. Rep. Cohen first introduced the Equal Employment for All Act in August 2009.

California State Senator Reintroduces Data Protection Bill Previously Vetoed by Governor: On January 20, 2011, California state Senator Joe Simitian introduced a data protection measure that describes the specific information which must be disclosed in each data breach notification and requires that the Attorney General of the state be notified for breaches affecting over 500 residents. The same bill was passed by the California legislature last year but was vetoed by Governor Schwarzenegger. The current breach notification law was written by Senator Simitian in 2002, and it has served as a model for numerous other states’ data breach laws.

North Carolina DHHS Clients’ Personal Information Compromised: The North Carolina Department of Health and Human Services has announced that the Division of Services for the Deaf and the Hard of Hearing (“DSDHH”) may have inadvertently thrown out computer disks containing the personal information of North Carolinians who had applied for services from DSDHH’s Equipment Distribution Service between January 2005 through December 2008. DSDHH Director Jan Withers announced that all information maintained by the agency has been encrypted since 2008.

Oregon Senator Pushes for Heightened Process to Obtain Location-Based Information: Senator Ron Wyden (D.- Oreg.) has announced he will introduce a bill requiring law enforcement officials to obtain court-ordered warrants in order to access location-based information from mobile devices. The issue of location-based privacy has gained traction since the United States District Court for the District of Columbia ruled in August that warrantless tracking of an individual’s location through electronic means, as opposed to following a suspect to ascertain his destination on a given trip, violated his Fourth Amendment rights. Sen. Wyden said that, far from hampering a police officer’s ability to do his job, a federal law regulating when a warrant is required to follow a suspect would provide law enforcement with the legal clarity needed to undertake investigations.

Upcoming Deadlines
FTC Moves Comment Deadline for Privacy Report to February 18, 2011: The Federal Trade Commission has granted an extension for responding to its privacy report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers.” The report, published on December 1, 2010, would apply a framework for consumer privacy protection for commercial entities that collect, maintain, share or otherwise use consumer data that can be linked to a specific consumer, computer or device. Comments on this paper were initially to be due January 31, 2011.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

Privacy Bulletin: Issue No. 51

2011-01-06T12:36:00.004-05:00

President Signs Bill Clarifying Identity Theft Red Flag Legislation

During a flurry of bill signing before leaving for a holiday vacation, President Obama signed S.3987, Red Flag Program Clarification Act of 2010, into law (December 18, 2010). This legislation should limit the types of entities that are subject to the Federal Trade Commission’s identity theft prevention red flag rules. The Federal Trade Commission had delayed enforcement of the red flags rules until December 31, 2010; however, other agencies did not delay enforcement of the original November 1, 2008 deadline for institutions subject to the respective agencies’ oversight. However, the FTC had stated in a press release, dated May 28, 2010, that if Congress passed legislation limiting the scope of the red flags rule with an effective date earlier than December 31, 2010, the Commission would begin enforcement as of that effective date. The legislation is effective as of the date of enactment, December 18, 2010.

Commerce Department Releases Green Paper on Consumer Online Privacy

The U.S. Department of Commerce released a green paper on December 16, 2010 which details the Department’s initial policy recommendations to promote consumer privacy online while ensuring that the Internet remains a platform of innovation and economic growth. The Department seeks public comments on the contents of the report, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework. The report recommends the creation of a new office within the Commerce Department that would meet with stakeholders and develop privacy codes of conduct. The Department also recommends the consideration of national data security breach notification laws, which would preempt state laws. The report contains several other recommendations, as stated in the Department’s press release: (i) consider establishing fair information practice principles comparable to a “Privacy Bill of Rights” for online consumers; (ii) encourage global interoperability to spur innovation and trade; (iii) consider how to harmonize disparate security breach notification rules; and (iv) review the Electronic Communications Privacy Act for the cloud computing environment.

Canada Enacts Anti-Spam Law

Canada enacted an anti-spam law; the law was approved by the Canadian Senate on December 15, 2010. Canada is one of the last G8 countries to enact an anti-spam law. Bill C-28, the Fighting Internet and Wireless Spam Act, will require businesses to follow certain best practices and will require businesses to obtain opt-in approval from the recipients of its commercial emails, unless there is a prior business relationship. This differs from the United States’ CAN-SPAM Act which requires consumers to opt-out of receiving commercial emails.

President Signs Bill Protecting Social Security Numbers

President Obama also signed legislation to further protect an individual’s social security number (S.3789, Social Security Number Protection Act of 2010, signed into law December 18, 2010). As we reported last issue, the legislation will prohibit agencies from displaying a person’s social security number (or any derivative of that number) on a check issued by an agency and prohibit agencies from employing prisoners where the prisoner would have access to a person’s social security number.

Congressional Committee Chairs and Ranking Members Approved by Respective Parties

The House Republican Conference approved committee chairmen including committees with primary leadership over privacy and data security issues on December 8, 2010. The House Democratic Caucus did the same December 9th for ranking members on those committees with primary leadership over privacy and data security issues. Rep. Fred Upton (R-MI) was approved to lead the Energy and Commerce Committee. Current Committee Chair Rep. Henry Waxman (D-CA) was approved to be the ranking member of the Committee in the next Congress. Rep. Spencer Bachus (R-AL) was elected to chair the House Financial Services Committee. Current Chair Rep. Barney Frank (D-MA) was approved to be the ranking member.

Other Committees who have addressed privacy and security issues in the past Congress include Homeland Security Committee, Oversight and Government Reform Committee, and the Judiciary Committee. Republicans elected Rep. Peter King (R-NY) to chair the Homeland Security Committee, Rep. Darrell Issa (R-CA) to chair the Oversight and Government Reform Committee, and Rep. Lamar Smith (R-TX) to chair the Judiciary Committee in the next Congress. The Democratic Caucus approved Rep. Bennie Thompson (D-MI) as ranking member of the Homeland Security Committee, Rep. Elijah Cummings (D-MD) as ranking member of the Oversight and Government Reform Committee, and Rep. John Conyers (D-MI) as ranking member of the Judiciary Committee.

Both the House and Senate Legislative calendars have been released by the respective houses. The first working day for both houses for the 112th Congress was January 5, 2011. (See http://www.house.gov/ and http://www.senate.gov/ for respective committee websites and calendar pages).

Detroit Man Faces Charges for Allegedly Reading Wife’s Email

The Detroit Free Press reported on December 27, 2010 that a man faces trial on charges that he violated Michigan’s identity theft laws and laws against the theft of trade secrets by allegedly logging on to his wife’s email account, using a laptop computer found in the home that the two shared and using his wife’s password. The man allegedly read his wife’s email to determine whether his wife was having an extramarital affair.

Class Action Filed against Apple and its iPhone Alleging Certain Applications May Have Transmitted Personal, Identifying Information

Plaintiffs filed a class action lawsuit against Apple Inc., Pandora Media, Inc, and Gogii, Inc. for violations of the plaintiffs’ privacy and unfair business practices in United States District Court, Northern District of California, San Jose Division December 23, 2010 (Lalo v. Apple Inc., Dec. 23, 2010, No. C 10-05878 PSG (No. Dist. Calif.). In the suit, the plaintiffs claim that they downloaded applications to their iPhone and iPad mobile devices from an Apple-sponsored website. Plaintiffs further allege that some of the applications transmitted personal, identifying information to advertising networks without obtaining the consent of the user. The suit also alleges that Apple, Inc., in allowing the applications to share personal, identifying information without the user’s consent violates Apple’s own privacy standards. The plaintiffs are asking for class certification, injunctive and equitable relief, a requirement that all data from and about plaintiff and class members be deleted, and others.

Sixth Circuit Finds Reasonable Expectation of Privacy in E-Mails Stored in or Sent through a Commercial ISP

2010-12-22T12:13:00.000-05:00

The United States Court of Appeals for the Sixth Circuit has ruled that the government must obtain a search warrant to intercept and read e-mails. In U.S. v. Warshak, Case 08-3997, the Sixth Circuit addressed the right of a private individual to maintain private e-mail accounts free from warrantless searches and seizures. The case may have significant implications on business as, for the first time, a U.S. Federal Appeals Court held that the Constitution protects individual privacy rights in e-mails. Such rights may extend to e-mails managed by employers in certain situations.

The Court found that the e-mails of a suspect in a fraud investigation were protected by the Fourth Amendment because (1) the suspect had “plainly manifested” an expectation of privacy in his e-mails (shown in part through the damaging nature of the information obtained from the e-mails and (2) his expectation of privacy was “reasonable,” as e-mail is fundamentally similar to traditional protected forms of communication (like letters). Therefore, the Court held, the government violated the Fourth Amendment by accessing e-mails from his internet service provider (“ISP”) without a warrant.

The Court noted that a subscriber agreement between an ISP and a consumer could potentially be so broad as to “snuff out” a reasonable expectation of privacy if, for example, the ISP “expresses an intention to audit, inspect, and monitor” its customer’s e-mails. However, in the absence of such language, an ISP may not be compelled to turn over its subscribers’ e-mails. The Court noted that an ISP, as the intermediary facilitating e-mail transfer, does not have the same right to disclose this information as the recipient would.

This case has far-reaching implications for the treatment of e-mails by the courts. In Warshak, the government had claimed that, even if it had violated the Fourth Amendment in obtaining the e-mails, law enforcement agencies should be protected by relying on the Secured Communications Act (“SCA”), which permits compelling disclosure of electronic communications through an administrative subpoena or a court order. The Court found that, to the extent that the SCA purports to allow the government access to obtain e-mails stored in or sent through a commercial ISP from the ISP, the SCA is unconstitutional.

While this case does not address the right of an employer to access e-mails, through personal or corporate accounts, the implications of this decision are clear. It would be easy for a court to extend this decision to find that, absent clear language to the contrary, any expectation of an e-mail user of privacy in his or her e-mails is reasonable. In the future, employers and others with access to e-mail accounts of others may be prohibited from warrantless searches of their e-mails. As the Court held, “the mere ability of a third-party intermediary to access the contents of a communication cannot be sufficient to extinguish a reasonable expectation of privacy.”

Privacy Bulletin: Issue No. 50

2010-12-16T15:50:00.004-05:00

Congress Passes Red Flags Rule Legislation, Waiting for President’s Signature:

The U.S. Senate and U.S. House of Representatives have both passed amendments clarifying the definition of the term “creditor” under the Fair Credit Reporting Act. This legislation was introduced to limit the types of entities that are subject to the Federal Trade Commission’s identity theft prevention red flag rules. This legislation is awaiting President Obama’s signature.

Currently, the term “creditor” can be broadly interpreted to include many different types of entities and professions, such as attorneys. The legislation will limit the term “creditor” to mean those persons who meet the definition of creditor under the Equal Credit Opportunity Act and regularly and in the ordinary course of business: (i) obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; (ii) furnish information to consumer reporting agencies in connection with a credit transaction; or (iii) advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

In a press release dated December 8, 2010, FTC Chairman Jon Leibowitz said, “We’re pleased Congress clarified its law, which was clearly overbroad. Now, we can go forward with less litigating and more protecting consumers from identity theft.”

In connection with this controversy, the FTC delayed the effective date of the red flag rules, issued on November 9, 2007, several times. The rules are now to take effect December 31, 2010 (red flag rules). For complete text of legislation see http://www.gpo.gov/fdsys/pkg/BILLS-111s3987enr/pdf/BILLS-111s3987enr.pdf)

Senate Approves Legislation to Ban “Data Pass” to Third Party Post-Transaction Sellers:

On November 30, 2010, the U.S. Senate passed legislation that would render unlawful any post-transaction third party seller’s charge or attempt to charge a consumer’s credit card, debit card, or bank account for goods or services sold through the internet. There are exceptions to the prohibition: (i) before obtaining a consumer’s billing information, the post-transaction third party seller has clearly and conspicuously disclosed to the consumer all material terms of the transaction, including certain specific terms; and (ii) the post-transaction third party seller has received the express informed consent for the charge from the consumer whose credit card, debit card, bank account, or other financial account will be charged by certain specified methods. Senate Bill 3386, the “Restore Online Shoppers’ Confidence Act,” has passed to the House Committee on Energy and Commerce.

FCRA Credit Receipt Claim May Proceed Against the U.S. Government, says Federal Circuit Court:

The U.S. Court of Appeals for the Federal Circuit has allowed a claim of a violation of the Fair Credit Reporting Act by the United States government to proceed. In Bormes v. United States (Fed. Cir., No. 2009-1546, 11/16/2010), the plaintiff claims that the United States government failed to follow the Act’s requirements that a consumer’s credit card expiration date be redacted from appearing on a receipt. The plaintiff, an attorney, allegedly paid a client’s filing fees through the U.S. government’s pay.gov system using a credit card. In so doing, the plaintiff alleges that the receipt for the payment of the filing displayed the card’s expiration date, in violation of the Fair Credit Reporting Act Section 1681c(g)(1).

Congress Holds Hearing on Feasibility of “Do-Not-Track” Legislation:

The U.S. House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection held a hearing entitled “Do-Not-Track Legislation: Is Now the Right Time?” on December 2, 2010. This hearing examined the feasibility of establishing a mechanism that provides internet users a method to opt-out from the tracking of their online activity by data-gathering firms. Among the witnesses were officials from the Federal Trade Commission and the Department of Commerce. Daniel Weitzner of the Commerce Department’s National Telecommunications and Information Administration included in his testimony that the Commerce Department will soon publish a series of policy ideas and questions in a “green paper.” He also stated that these policy ideas and questions “are intended to play a key role in [the Department’s] effort to close gaps in consumer protection, strengthen online trust, and bolster the internet economy.” His testimony also stated that “with or without legislation, Internet stakeholders suggested that the centerpiece of Internet privacy protection may be upgrading the role of voluntary but enforceable codes of conduct, developed through open, inclusive processes.” Director of the Bureau of Consumer Protection David Vladek, testifying on behalf of the Federal Trade Commission, relayed, among other things, the framework proposed by the FTC in its recent report to guide policy makers and industry to improve consumer online privacy protection. On the heels of this hearing, Microsoft® announced on December 8th that it would add a “do-not-track” feature to its Internet Explorer® software.

Members of Congress State Intent to Seek Privacy Legislation in the Next Congress:

Several Congressional Members have indicated their intent to seek internet privacy legislation, including Senator John Kerry (MA). In a press release dated December 1, 2010, Sen. Kerry stated that “during the process of drafting legislation, I’ve concluded that consumers should have three nonnegotiable rights. First, all firms must put procedures in place to secure personally identifiable information. Second, consumers have a right to know in clear and concise terms what firms intend to collect, why, and how it will be used. Third, consumers should be given a simple mechanism for opting out of the process.”

FTC Solicits Comments on Caller ID Services for Telemarketers:

The Federal Trade Commission issued an advance notice of proposed rulemaking on November 30, 2010, seeking comments on the provisions of the Telemarketing Sales Rule concerning caller identification services and disclosure of telemarketers’ identities for telemarketing calls.

Caller identification services provide a consumer the opportunity to know his or her caller. However, innovations in caller identification services have led to a telemarketer’s ability to shield its true identity and contact information from consumers. Telemarketers can use technology to allow them to transmit caller identification numbers that are not associated with their geographical location. Telemarketers can also use these technologies to display telephone numbers that lead to voicemail only or to display a number that is not in service. Telemarketers can also change their name in the caller identification display.

The FTC solicits comments on whether changes should be made to the Telemarketing Sales Rules to reflect the current use and capabilities of caller identification technologies and whether the Rules should be amended to better achieve the objectives of the caller identification provisions. The FTC’s press release regarding this ANPR states that the ANPR “does not put forward a specific plan for strengthening the Telemarketing Sales Rule’s Caller ID provisions. Instead, it provides information on how Caller ID services work, and explains how the benefits of Caller ID services are undermined when telemarketers use technology to block transmission of Caller ID, to transmit false information, or to transmit a telephone number or name that does not clearly identify the source of the call.” Comments are due January 28, 2011.

FTC Publishes Tips for Securing Data on Digital Copiers:

The FTC recently published a guide, Copier Data Security: A Guide for Businesses, which advises business how to secure sensitive data stored on digital copiers. The FTC’s press release announcing this new guide includes some helpful steps for ensuring data security that can be obtained in the guide (reprinted below):

Before acquiring a copier, plan to have the information technology staff manage and maintain it just as they would a computer or a server.
When buying or leasing a copier, evaluate your options for securing the data on its hard drive – including the encryption or overwriting features that will be used. Encryption scrambles the data on the hard drive so it can only be read by particular software. This ensures that even if the hard drive is removed from the machine, the data cannot be retrieved. Overwriting – also known as file wiping or shredding – replaces the existing data with random characters, so that the file cannot be easily reconstructed.
Take advantage of all of the copier’s security features. Securely overwrite the entire hard drive at least once a month.
When returning or disposing of a copier, find out whether it is possible to have the hard drive removed and destroyed, or to overwrite the data on the hard drive. Generally, it is advisable for a skilled technician to remove the hard drive to avoid the risk of rendering the machine inoperable.

Please see the FTC’s website for more information, www.ftc.gov.

Congress Passes Social Security Number Protection Act:

On December 9, 2010, Congress passed legislation to further protect an individual’s social security number. The legislation will prohibit federal, state and local agencies from displaying a person’s social security number (or any derivative of that number) on a check issued by an agency. The legislation will also prohibit federal, state or local agencies from employing prisoners where the prisoner would have access to a person’s social security number. This legislation, the Social Security Number Protection Act of 2010, was sponsored by Senator Dianne Feinstein (CA). The bill now awaits President Obama’s signature.

Verizon Announces Plan to Issue Medical Credentials to Doctors, and Other Medical Professionals

Verizon announced on November 17th its plans to issue medical identity credentials to 2.3 million physicians, physicians’ assistants and nurse practitioners in the United States free of charge. In a press release, Verizon claimed that “this first-of-its kind step will enable U.S. health care professionals to meet federal requirements contained in the 2009 Health Information Technology and Clinical Health (HITECH) Act that call for the use of strong identity credentials when accessing and sharing patient information electronically beginning in mid-2011.” Verizon feels that with these credentials, “U.S. health care professionals will be able to receive digital health information via the Verizon Medical Data Exchange, using a secure, private inbox accessed from a new web-based physician portal.” Further, Verizon states that the credentials will enable these health care providers to access applications and programs such as electronic medical records and e-prescribing.

Consumer Group Advocates Improved Consumer Protections to Cloud Computing Service Providers

The Consumer Federation of America released a set of best practices for cloud computing services on November 30th, titled “Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America Retreat on Cloud Computing.” Cloud services can be incredibly useful for sharing information electronically. Consumers as well as businesses and governments already take advantage of cloud computing services, such as social networking sites and other remote servers that hold information and are accessed through the internet. However, cloud computing services can also create issues in the consumer protection and privacy arenas. Thus, according to its press release on November 30th, the Consumer Federation held a two day retreat over the summer with representatives from consumer and privacy organizations, academia, government and business from the United States and Europe in attendance and created a set of best practices for the cloud service provider industry. These best practices include, but are not limited to, the demonstration of operational safeguards and security mechanisms by cloud service providers and that cloud service users should be able to delete information the user uploaded to the cloud. These best practices are not mandatory but the Consumer Federation of America hopes that the cloud servicer provider industry will consider these practices in the future.

Privacy Bulletin: Issue No. 49

2010-12-03T15:00:00.001-05:00

In the News

FTC Issues Preliminary Staff Report Regarding Consumer Privacy and Seeks Comments on Proposal by January 31, 2011: On December 1, 2010, the FTC proposed a framework for how companies that collect consumer data should protect consumers’ privacy. Entitled “Protecting Consumer Privacy in an Era of Rapid Change,” the proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share, or otherwise use consumer data that can be linked to a specific consumer, computer, or device. The proposed framework contains three components: (1) “privacy by design” pursuant to which companies would build privacy protections into their everyday business practices; (2) notice and choice to consumers about a company’s data practices in a simpler, more streamlined manner than has been done in the past; and (3) improved transparency of all data practices, including those of non-consumer facing businesses. The FTC has proposed various protections to implement each of these three components. As one example, with regard to consumer choice, the FTC has proposed “Do Not Track,” which would require companies to include a setting, similar to a cookie, on a consumer’s browser that would signal the consumer’s choices about being tracked and receiving targeted ads. The FTC seeks comments on the proposed framework and the protections contained therein by January 31, 2011.

House Energy and Commerce Committee Hold Privacy Hearing: On December 2, 2010, the House Energy and Commerce Committee held a hearing to address whether to write legislation to mandate a “Do Not Track” mechanism as discussed in the FTC report. The Commission testified about the “Do Not Track” option, which it called the “most practical way” to provide consumers with choices about online behavioral advertising. The Commission stressed that Do Not Track legislation, if enacted, should not “undermine the benefits online behavioral advertising provides consumers” or require maintenance of a distinct registry of users. The Commission also urged Congress to give it rulemaking authority and the ability to fine violators.

On a related issue, on the heels of the release of the FTC report, Senator John Kerry announced on December 1, 2010, that he would introduce privacy legislation in early 2011.

United Kingdom’s Information Commissioner’s Office Issues First Data Protection Fines: The Information Commissioner’s Office reports that it has issued its first data protection fines. Specifically, the U.K’s Information Commissioner’s Office has fined the Hertfordshire County Council 100,000 pounds for breaching the U.K. Data Protection Act. The Office also fined an employment service company 60,000 pounds for the loss of an encrypted laptop with personal information of 24,000 individuals who had used community legal advice centers.

FTC Names First Chief Technologist and New Executive Director: The Federal Trade Commission (“FTC”) has appointed Princeton University Professor Edward Felton as its first Chief Technologist, to advise the agency on new technologies and policy issues. Felton is a professor of computer science and public affairs and was the founding director of the Center for Information Technology Policy at Princeton University. He has also consulted with various agencies, including the FTC, where he currently consults. He will start full-time at his new position in January. The appointment has been widely applauded as the FTC enters a new era with an increasing number of high-profile technology cases.

The FTC also announced that Small Business Administration (“SBA”) Chief Operating Officer Eileen Harrington has been appointed to be the FTC’s Executive Director. An experienced choice, Harrington worked at the FTC for 25 years before her tenure at the SBA. While at the FTC, Herrington was awarded the Service to America Medal for leading in the creation of the National Do Not Call Registry in 2004.

White House Privacy Committee Releases Charter: The Subcommittee on Privacy and Internet Privacy, established by the National Science and Technology Counsel Committee on Technology released its charter earlier this month. The charter focused on three main deliverables: (i) a white paper examining information privacy in the Internet Age; (ii) Internet Privacy Principles, to be applied domestically and globally; and (iii) coordination of Statements of Administration Policy on privacy and Internet privacy. The Subcommittee, created October 24, 2010, is comprised of representatives from over 15 departments, agencies and federal offices and is co-chaired by Cameron Kerry, the General Counsel of the Department of Commerce, and Christopher Schroeder, Assistant U.S. Attorney General.

Facebook Announces Zero Tolerance Policy for Data Brokers: After discovering that a data broker paid application developers for Facebook users’ information, the social networking site announced it has a “zero tolerance” policy for data brokers. Facebook stated on its Developers Blog that data brokers “undermine the value that users have come to expect from Facebook.” Developers are prohibited from giving data from Facebook to data brokers, and Facebook also announced that it was suspending previous violators from accessing Facebook for 6 months. The policy announcement comes at the same time that Facebook has come under fire itself for a new feature, called “Friendship Pages.” The feature shares public information between “friends” to show the relationship histories between the users. Although the information is already public, some critics have claimed that Facebook should have notified all users of the new feature and given a clear opt-in or opt-out feature.

White House Issues Cloud Computing Guidance: On November 2, 2010, the White House issued “The Proposed Security Assessment and Authorization for U.S. Government Cloud Computing,” a document called the “product of 18 months of collaboration with state and local governments, private sector, NGOs, and academia” by U.S. Chief Information Officer Vivek Kundra. The proposal is intended to help government agencies utilize cloud computing by laying out security requirements that private contractors providing these services must meet. CIO Kundra asked for public comment on the proposal, and all comments are due December 2, 2010.

Homeland Security Committee Announces Cybersecurity Hearing: On November 17, 2010, the Homeland Security and Governmental Affairs Committee held a cybersecurity hearing entitled “Securing Critical Infrastructure in the Age of Stuxnet.” The hearing addressed the security implications of the Stuxnet worm and its potential impact on systems that run the U.S.’s infrastructure. Witnesses included Sean McGurk, acting director of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center; Michael J. Assante, president and CEO at the National Board of Information Security Examiners; Dean Turner, the director of the Global Intelligence Network at Symantec Corporation; and Mark W. Gandy, global manager of IT Security and Information Asset Management at Dow Corning Corporation. The hearing was held at 10:30 am at the Dirksen Senate Office Building, room SD-342. Live video of the hearing was made available by the Committee.

NLRB Says Firing Based on Facebook Posts Was Illegal: In a groundbreaking case, the National Labor Relations Board (“NLRB”) has issued a complaint claiming that a company’s firing of an employee who criticized her supervisor on Facebook was an unfair labor practice. This is the first time the labor board has argued that workers’ criticisms of their employers on a social networking site are protected. The NLRB issued the complaint against American Medical Response of Connecticut for firing medical technician Dawnmarie Souza after she called her supervisor a psychiatric patient and referred to the supervisor by derogatory terms on her Facebook page. The NLRB also alleged the company’s Internet policies, which prohibited employees from making disparaging, discriminatory, or defamatory comments about supervisors, co-workers, competitors or the company, were overly broad and interfered with employees’ right to engage in protected activities under Section 7 of the NLRA. A hearing is scheduled for January 25, 2011.

Upcoming Deadlines

FTC Red Flag Enforcement Begins January 1, 2011: In May 2010, the FTC once again extended the enforcement date of its Red Flags rule through December 31, 2010. The FTC has not issued a further extension. Therefore, by January 1, 2011, businesses that maintain covered accounts must have implemented a written identity theft prevention program that has been approved by the company’s board or an appropriate board committee. This enforcement deadline does not affect the enforcement of the “Red Flags Rule” already in place for financial institutions and creditors that are regulated by the federal bank regulatory agencies or the National Credit Union Administration.

GLBA Model Notice Must Be Used by January 1, 2011: Financial institutions regulated under the Gramm-Leach-Bliley Act (as amended by the Financial Services Regulatory Relief Act of 2006), must use the GLBA model privacy notice form if they want to obtain safe harbor protection under the GLBA privacy rules. The purpose of the form is to make privacy notices more transparent to consumers.

Privacy and Data Protection Team

The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

Privacy Bulletin: Issue No. 48

2010-11-01T11:06:00.004-04:00

In the News
Class Action Lawsuit Filed Against Google: A class action lawsuit was filed against Google in a US District Court in San Jose, California. The suit alleges that Google violates the privacy of its users by sharing personal information and Internet search queries of its users with third parties. "User search queries, which often contain highly-sensitive and personally identifiable information, are routinely transferred to marketers, data brokers, and sold and resold to countless other third parties," the complaint said.

Facebook and Zynga Named in Class Action Lawsuits Alleging Privacy Violations: Lawsuits filed in the U.S. District Court for the Northern District of California allege that Facebook and Zynga shared users’ personal information with advertisers and other unauthorized individuals in violation of their own privacy policies, as well as state and federal privacy laws protecting electronic communications. These lawsuits follow an October 18th Wall Street Journal article that revealed that Facebook applications transmit a user’s Facebook ID to third parties. The Facebook ID could provide access to a user’s personal information. Neither Facebook nor Zynga have commented on the lawsuits.

Tuberculosis Lawsuit Against CDC Revived: The lawsuit filed by a man who was the subject of a 2007 international tuberculosis scare was revived by the 11th U.S. Circuit Court of Appeals. The appeals court reversed a lower court’s decision to dismiss his lawsuit claiming that officials with the Centers for Disease Control revealed his private medical condition to publicize the possibility that the disease could be spread worldwide. A lower court had dismissed his lawsuit on the grounds that the plaintiff failed to present sufficient evidence that the CDC was to blame for the privacy breach.

Energy Department Warns of Privacy Concerns Surrounding Smart Grid Technologies: The use of smart grid technologies, which collect information on consumers' energy consumption, allow utilities to help consumers reduce their energy costs. However, Department of Energy officials warned that these technologies could also disclose private information regarding the activities of a particular household. The Department warned that controls should be implemented to ensure that the information is collected and used in line with privacy expectations.

Facebook Lobbies California Lawmakers on Privacy Act: Facebook fought the passage of a California state Senate bill that was designed to restrict social-networking sites from displaying the addresses and phone numbers of minors. Once the Social Networking Privacy Act passed the Senate, Facebook began to lobby against its passage in the California Assembly. Senator Ellen Corbett, the sponsor of the legislation told the reporter who broke the CA lobbying story that “It appears they just worked in the background, to kill the bill.”

Avoid Cyber Risks -Event on October 19 in Washington, DC

2010-10-15T16:46:00.004-04:00

Did you Know?
On average, it takes 150-175 hours of time to restore an individual’s identity. Additionally, contrary to the hype in the media, only 20% of identity theft cases surround credit fraud. Everything from W-2 fraud, bank fraud and even health care patient record fraud are all risks to a potential victim.

Marsh, Kroll Fraud Solutions and Womble Carlyle invite you to join other financial, legal and risk management professionals to learn more about cyber risk, network security and privacy liability solutions.

Learn more on October 19. Click here to register.

Venue: Marsh DC Office -- 1255 23rd Street, NW Washington, DC 20037

For additional information or to register by phone, please contact Brandon Gabosch at (202) 263-6724 or brandon.gabosch@marsh.com

Printable invitation

Privacy Bulletin: Issue No. 47

2010-10-13T11:39:00.005-04:00

Womble Carlyle’s “Privacy Bulletin” highlights select developments that might be of interest to entities that collect or use personally identifiable information. Protecting a person’s privacy is a challenge to businesses, universities, and all other entities that collect personal information, particularly given the proliferation of personally identifiable information contained in consumer and employee records.

In the News

Google Settles Buzz Privacy Lawsuit for $8.5 Million: Google settled a class action lawsuit filed last April over alleged privacy violations stemming from their Buzz program. Google launched Buzz in February of last year. The program utilized the contacts of subscribers to Google’s free email service to create a public social networking tool. The lawsuit alleged that Google Buzz violated privacy protections by sharing users’ private information, including lists of users with whom they interacted, without their consent. After filing the settlement paperwork with the court, Google posted a notice on its website indicating that they were changing their privacy policy. According to Google’s Associate General Counsel, the changes wouldn’t affect any of Google’s privacy practices, rather the new policy would streamline and update the company’s privacy policies.

GAO Releases Report Criticizing Contractor Access to Sensitive Government Data: The Government Accountability Office released a report on September 10, 2010, focusing on a year and a half study of contractors assigned to three government agencies: Department of Defense, Homeland Security, and Health and Human Services (HHS). The GAO found that sensitive information released to contractors working with those agencies was not properly safeguarded and therefore posed a significant risk of improper disclosure or misuse. The report follows an announcement by Defense Secretary Robert Gates in August announcing major cuts to the government’s reliance on contractors, calling for a “10 percent annual reduction in spending on contractors who provide support services to the military, including money for intelligence-related contracts.” The report highlighted several data-breach incidents including one where a contract employee stole the names, social security numbers and birthdates of employees at the Transportation Security Administration in Boston.

EPIC Sues National Security Agency for Information about Communications with Google: On September 13, 2010, the Electronic Privacy Information Center (“EPIC”) sued the National Security Agency (“NSA”) for information regarding its alleged agreement with Google, Inc. to protect the company from cyber attacks by foreign entities. Earlier this year reports began to surface in several news outlets that Google had recruited the NSA to investigate the source of an alleged attack on Google’s corporate infrastructure originating from China and to take steps necessary to prevent future intrusions. EPIC’s suit began as a Freedom of Information Act request for any documents relating to such an agreement between Google and the NSA. When the NSA refused to provide the documents, the privacy agency sued. “In order for the public to make meaningful decisions regarding their personal data and e-mail, it must be aware of the details of that relationship [between Google and the NSA],” EPIC said, in its FOIA request.

HHS Receives Detailed Comments on Proposed HIPAA changes: The HHS Office of Civil Rights will have their hands full as they review the thousands of pages of comments filed in response to their proposal to modify the HIPAA privacy, security and enforcement rules. The filing deadline for the comments was September 13, 2010. The comments focused on a range of issues including concerns about the cost and impracticability of allowing patients to restrict certain information submitted to healthcare providers from being shared with insurance companies. The comments also touched on the proposed modification to the HIPAA requirements requiring business associates and their subcontractors to comply with privacy and security rules. While commenters generally applauded the proposal, many expressed concern with the proposed requirement that entities covered by HIPAA modify their business associate agreements to reflect the latest changes, claiming that the proposed rule would be unduly burdensome. Some commenters also requested an extension to the 180-day compliance requirement, asking that entities receive a full year to come into compliance once the final rules become effective.

International Launch of Global Privacy Enforcement Network and Website: The Federal Trade Commission along with an international group of privacy enforcement officials recently commenced a Global Privacy Enforcement Network (“GPEN”) and accompanying website, http://www.privacyenforcement.net/, to aid information sharing efforts and international support of global privacy issues. Network participants include privacy enforcement authorities from countries across North America, Europe, Australia and the Middle East. “To protect consumers’ privacy in today’s global economy, all of us who work in law enforcement around the world need to cooperate with each other,” commented FTC Chairman Jon Leibowitz. “We at the FTC are looking forward to working closely with our colleagues overseas to make this happen.”

FTC Testifies at Senate Commerce Committee Discussing Proposed Data Security Legislation: On September 22, 2010, the Consumer Protection, Product Safety, and Insurance Subcommittee of the Senate Committee on Commerce, Science, and Transportation held a hearing to discuss the pending Data Security and Breach Notification Act of 2010 (the “Act”). The bill is one of a host of newly proposed legislation designed to address data security and privacy practices. Similar to the Data Accountability and Trust Act passed by the House of Representatives in December of 2009, the Senate Act brings Congress closer to passage of comprehensive data breach and privacy reform. The Act addresses three main data security and privacy issues: (1) requiring entities that have individual’s personal information to adopt data security protection measures, including secure means for disposal of electronic and non-electronic data; (2) requiring entities to notify their customers and the Federal Trade Commission, (“FTC”) of data security breaches; and (3) requiring information brokers to put into practice procedures to guarantee data accuracy, enable consumers to access their data, and permit customers to dispute inaccurate personal information. The FTC expressed general support for the Act, but recommended that the Senate expand its reach to cover security breaches that involve both paper and electronic records and to extend the requirements of the Act to telecommunications carriers, by providing the FTC with the authority to regulate those entities, regardless of the common carrier exemption. Other industry advocates attending the hearing expressed concern that the requirements could effectively over-notify customers about security breaches that do not expose consumers to a risk of identity theft or fraud.

Major Technology Companies Indicate Support of Rush Privacy Legislation: On October 4, technology companies Intel, eBay and Microsoft sent a letter to Rep. Bobby Rush, D-Ill., Chairman of the Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection, indicating their support for his privacy legislation: "We support the bill's overall framework, which is built upon the Fair Information Practices regime. We appreciate that the BEST PRACTICES Act is technology neutral and gives flexibility to the Federal Trade Commission to adapt to changes in technology." The companies commented, however, that the House should remove the provision providing consumers the opportunity to sue for violating provisions of the bill, stating that such a provision would cause "unnecessary litigation costs and uncertainty for businesses" and would not combat consumer privacy issues. The legislation, as drafted, would permit websites and other companies covered by the bill to collect consumer information, but would require notice to the consumer and an option to opt-out. Additionally, the bill would require consumers to opt-in to disclosure of information to third-parties, unless the company participated in a “universal opt-out program.” The Subcommittee is expected to hold a hearing on the bill in November and discuss the addition of a provision requiring companies to create a “do-not-track list,” permitting consumers to opt-out of web activity tracking.

Privacy and Data Protection Team

Are You Naked Online? (Webinar)

2010-10-05T14:26:00.002-04:00

Most Internet users would be shocked to learn just how much of their private information is available online—and at the lengths some will go to in order to access that information.

Womble Carlyle attorney Ted Claypoole will be a presenter in a free one-hour Webcast focusing on issues of online privacy and data security. Claypoole, a frequent speaker and author on data security issues, will be joined by Theresa Payton, CEO of Fortalice®, LLC, a security, risk and fraud consulting company.

The “Are You Naked Online?” Webinar takes place at 1 p.m. on Thursday, Oct. 7^th, and is presented by O’Reilly Webcasts. Click here to register.

Ted Claypoole is a Member of Womble Carlyle Sandridge and Rice in the Intellectual Property Transaction group in Charlotte, and the leader of its Privacy and Data Management Team. He has long been charged with internet privacy issues as in-house corporate counsel for CompuServe and as assistant general counsel for Bank of America. Claypoole has served on a U.S. Justice Department computer crimes task force and the Information Protection Committee for the Banking Industry Technology Secretariat. He is the co-chair of the American Bar Association's Cyberspace Law Privacy and Data Security Subcommittee.

Womble Carlyle to Participate in IAPP Privacy Academy

2010-09-28T16:17:00.000-04:00

Baltimore, MD—More than 1,500 privacy professionals will gather in Baltimore, MD for three days of intensive education and networking at the International Association of Privacy Professional’s (IAPP) Annual Privacy Academy on September 29 – October 1, 2010. This year’s Academy will be held at the Hilton Baltimore where Womble Carlyle’s Privacy and Data Protection Team will participate as an Exhibitor.

Among those representing the firm’s Privacy and Data Protection Team at this year’s Global Summit are Ted Claypoole, Jennifer Kashatus, Eric Breisach and Sarah Byer Miller. Womble Carlyle’s attendees will join the community of global privacy professionals to share insight on various privacy issues, discuss challenges and identify innovative solutions to help address our clients’ privacy needs.

Privacy Bulletin: Issue No. 46

2010-09-03T11:05:00.008-04:00

In the News

Connecticut Board of Education Considers RFID System to Track Students: The New Canaan, Connecticut Board of Education has begun talks with SecureRF Corporation to hire SecureRF to provide the town’s schools with a monitoring system called a Radio Frequency Identification (“RFID”) system. Students would carry RFID tags, which would use radio waves to allow monitors to see when students pass designated points where the tags are registered. SecureRF introduced the idea at August’s Board meeting. SecureRF is applying for a $100,000 grant from the National Science Foundation to fund the system, which would be a pilot program for larger deployment to occur later. Student participation in the program would be voluntary. Assistant Superintendent of Schools Steven Swerdlick said that the Board is considering the privacy implications, explaining that the Board would have to be “thoroughly satisfied that there is no negative impact on privacy and safety” before making any final decision about RFID deployment.

California Breach Notification Bill Sent Back to Governor: On August 19, 2010, the California Senate passed SB 1166, which would update California’s data breach notification law. The bill (then SB 20) was previously vetoed last October because, the governor said, there was no proof that the new measures would actually help consumers. Joe Simian (D-Palo Alto), who drafted the bill, said he was persuaded to reintroduce it this year after conversations with the Governor’s office, and that, based on those conversations “a signature by the Governor seems possible this year.” SB 1166 would require additional information in notification letters, including the type of personal information exposed, a description of the incident, and an explanation of what steps consumers can take to protect themselves from identity theft. California’s current law was the first breach notification law in the nation in 2002. Since then, most states have adopted similar laws. Many of the newer rules include the kind of information SB 1166 would require.

ABA Continues to Fight Inclusion of Attorneys in Groups Regulated by Red Flag Rules: On August 20, 2010, the American Bar Association filed a brief in D.C. Circuit Court responding to FTC claims that lawyers should be required to comply with the “red flag” rules requiring financial institutions and creditors to develop and maintain identity theft prevention programs. The issue is before the D.C. court on an appeal by the FTC of a 2009 ruling in D.C. district court that found that the FTC’s interpretation of the law, which would cover lawyers, was unreasonable. In its August 20 filing, the ABA argued that the FTC cannot regulate the practice of law until such time as Congress gives the FTC an “unmistakably clear” grant of authority to do so. No oral argument date as been set, but the FTC will have a chance to respond to the ABA’s brief by September 21, 2010.

Illinois Enacts Law Prohibiting Credit Checks by Employers: On August 10, 2010, Illinois passed HB 4658, the “Employee Credit Privacy Act,” which restricts the access of employers to credit histories of potential employees. The law restricts employers from obtaining, or even inquiring about, credit histories unless a satisfactory credit history is an “established bona fide occupational requirement” of a particular job, under a limited set of circumstances, such as a requirement by state and federal law that bonding or other security is required to cover the employee. Employers are also prohibited from (i) failing to hire or recruit, (ii) firing, or (iii) otherwise discriminating against employees or potential employees on the basis of their credit histories. Illinois is the fourth state to enact legislation restricting employer access to employee credit information.

Privacy and Data Protection Team