Privacy & Information Security Law Blog

On November 24, 2009, the European Parliament formally approved the European Union's telecoms reform package.  This reform proposed by the European Commission in November 2007 consists of various different EU Directives that set-up the legal framework applicable to the electronic communications sector (telecoms) and includes a new e-Privacy Directive.

New provisions of the e-Privacy Directive will strengthen the protection of privacy and personal data in the electronic communication sector and includes the following:

• mandatory notification for personal data breaches ...

On October 29, 2009, the European Commission (the “Commission”) proceeded to the second phase of infringement proceedings against the UK relating to the UK’s implementation of EU e-privacy and personal data protection laws.  EU Member States must ensure the confidentiality of communications by prohibiting interception and surveillance without user's consent.  The Commission maintains that the UK has failed to fully implement these requirements into its national laws and has identified three specific flaws in the existing UK laws governing the confidentiality of electronic communications:

• The UK does not have an independent national authority responsible for (i) supervising the interception of communications and (ii) complaints about unlawful interception of electronic communications, despite the requirement to this effect contained within EU laws and imposed on Member States;

On November 6, 2009, the French Senate proposed a new draft law to reinforce the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Draft Law”).  Following a Report on the same topic issued last spring, the Senate made concrete proposals with this Draft Law to amend the Data Protection Act.

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

The FTC today announced that it would, for the fourth time, delay enforcement of the Identity Theft Red Flags Rule.  The enforcement date is now June 1, 2010 for creditors and financial institutions subject to FTC jurisdiction.  The agency stated that the delay was requested by members of Congress, who are currently considering a bill that would limit the rule's scope.  That bill (which would exclude certain entities with 20 or fewer employees from the rule's definition of "creditor" and also would provide a mechanism for other entities to apply for that exclusion) recently passed the ...

The Department of Health and Human Services (“HHS”) released an interim final rule to incorporate the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) categories of violations and tiered civil penalty amounts.  The interim final rule is expected to be published in the Federal Register on October 30, 2009 and takes effect on November 30, 2009.  The rule applies to violations of the Health Insurance Portability and Accountability Act of 2003 (“HIPAA”) that occur on or after February 18, 2009.

It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association's argument that the FTC's Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers.  The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act").  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly.  The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered.  For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.

The November 1st deadline for compliance with the FTC’s Red Flags Rule Identity Theft Prevention Program requirements is rapidly approaching.  Of late, there has been a flurry of activity aimed at limiting the scope of the rule.  The Red Flags Rule, which was jointly promulgated by several federal agencies in November 2007, requires all “creditors” that offer or maintain a “covered account” to implement a written identity theft prevention program.  A “creditor” is defined broadly to include “any person who regularly extends, renews, or continues credit.”  In March 2009, the Federal Trade Commission (“FTC”) published a how-to guide for businesses to comply with the Red Flags Rule that confirmed the FTC will broadly construe the rule, stating that the definition of a “creditor” includes all businesses that “provide goods or services and bill customers later.”

The Federal Trade Commission is having a very busy week, announcing settlements in three high profile cases all before the close of business Tuesday.

The FTC today announced a settlement with MoneyGram International, Inc., the second largest provider of money transfer services in the U.S., which allegedly facilitated a host of fraudulent activities undertaken by telemarketers and other con artists.  The FTC charged that these practices violated both the FTC Act and the Telemarketing Sales Rule.  MoneyGram has agreed to pay $18 million into a fund that will be used to pay restitution to consumers for facilitating fraud on American consumers from Canada.  The $18 million settlement represents MoneyGram’s total return on $84 million in fraudulent transactions.  The settlement further requires implementation of a comprehensive anti-fraud program that is reminiscent of the Identity Theft Prevention Programs mandated by the FTC's Red Flags Rule, including employee training and ongoing monitoring to detect fraud.

On October 14, 2009, the Australian government released a report entitled “Enhancing National Privacy Protection” that contains proposed reforms to Australia’s privacy laws, including the Privacy Act 1988 (“Privacy Act”).  In announcing the report, Cabinet Secretary and Special Minister of State Joe Ludwig stated that the reforms aim to “provide for one set of streamlined Privacy Principles for Australian Government agencies and private sector organizations which will provide greater clarity and cut red tape.”  The report comprises the first stage of a two-stage response to a report issued by the Australian Law Reform Commission (“ALRC”) in 2008 that contained 295 recommendations to revise Australian privacy laws and practices.

On October 5, 2009, the Federal Trade Commission (“FTC”) issued amendments to its Guides for the Use of Endorsements and Testimonials in Advertising (“Guides”).  Reactions to the amendment have primarily focused on the provisions that require bloggers to disclose their relationship with companies whose products they endorse.  Largely absent from the commentary, however, have been observations regarding theories articulated in the amendments that demonstrate the risk of enforcement for companies that do not have a blog and that do not use third-party bloggers for promotion.

The new UK Information Commissioner, Christopher Graham, shared his vision for data protection regulation at his first conference speech in London yesterday.  As the keynote speaker at the 8th Annual Privacy and Data Protection Conference, chaired by Hunton & Williams partner, Bridget Treacy, Christopher Graham positioned himself as a fair, but tough, regulator who will not be afraid to use his strengthened enforcement powers.

On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program.  In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed.  The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program.  The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC's First Safe Harbor Enforcement Action.

On September 9, 2009, the U.S. District Court for the District of Maine dismissed a lawsuit challenging the validity of the Act to Prevent Predatory Marketing Practices Against Minors (the “Act”), which is set to take effect on September 12, 2009.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for ...

The Federal Trade Commission (“FTC”) has secured a temporary restraining order against a company that allegedly falsely claimed to have self-certified to the EU/U.S. Safe Harbor Program.  One count of the FTC's complaint claims that the company (named Balls of Kryptonite, LLC) misled consumers by inaccurately representing that it had self-certified to the U.S. Department of Commerce that it was Safe Harbor compliant.  While the FTC has not alleged a substantive violation of the Safe Harbor, this case is significant for two reasons.  First, it marks the first time the FTC has brought an enforcement action with respect to the Safe Harbor Program.  The court order prohibits the defendants from misrepresenting the extent to which they “are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.”  Second, the FTC acted in concert with the UK Office of Fair Trading after consumers in the UK registered complaints with the FTC using a website established by 25 international consumer protection agencies to facilitate global consumer protection efforts.  This is the first time the FTC has used the U.S. SAFE WEB Act of 2006 to enforce consumer protection regulations against a U.S. company operating exclusively outside the United States.

On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations.  In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”

On July 29, 2009, the Federal Trade Commission ("FTC") announced another three-month delay in the enforcement of the provision of Identity Theft Red Flags and Address Discrepancies Rule (the "Rule") that requires creditors and financial institutions to implement an Identity Theft Prevention Program.  The FTC noted that small businesses and entities with a low risk of identity theft remain uncertain about their obligations under the Rule and pledged to "redouble" its efforts to educate businesses about compliance with the Rule.  The new enforcement deadline for creditors and ...

The UK Financial Services Authority (FSA) has announced today fines for three HSBC entities totaling £3 million for failing to have adequate systems and controls in place to protect their customers' confidential data. HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.

Kaiser Permanente Bellflower Hospital has again been penalized for failing to prevent unauthorized access to confidential patient information.  On July 16, 2009, the California Department of Public Health announced that it had levied administrative penalties totaling $187,500 on the hospital after it was determined that eight Kaiser employees had compromised the privacy of four patients' medical information.  On May 14, 2009, the same facility was fined $250,000 -- the maximum allowable penalty under the new state health privacy provisions that came into effect on January 1st -- for violations related to unauthorized employee access to the medical records of Nadya Suleman.  The latest fine included a $25,000 penalty for each of four patients whose medical records allegedly were breached, plus $17,500 per incident for five subsequent alleged breaches of those medical records after the first.

On June 30, 2009, the Obama Administration sent legislation to Congress that would create a new Consumer Financial Protection Agency ("CFPA").  Working with state regulators, the new agency would assume authority for the privacy provisions of the Gramm-Leach-Bliley Act, and would have the power to write rules and impose penalties pursuant to a variety of existing statutes, including the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act.  To date, these powers have been shared among all financial services regulators, including the Federal Trade ...

On June 4, 2009, the Federal Trade Commission (“FTC”) reported that Sears Holdings Management Corporation (“Sears”) agreed to enter into a settlement regarding the Commission’s allegations that the company violated Section 5 of the FTC Act in connection with a new online community application it had developed.  Participation in the community allowed Sears to track consumers’ online and, to some extent, offline activities.  The FTC’s action is notable as a potential precursor to future enforcement by the FTC in the areas of both transparency and tracking online behavior, the latter having been previously highlighted as an area of interest for the agency.  The settlement, discussed in more detail below, is notable in that its requirements make clear that substantial tracking of consumer behavior must be sufficiently transparent (not disclosed only in a lengthy privacy policy or agreement), consumers’ opt-in consent to such tracking must be obtained and, disclosures regarding the nature of the tracking must be made at a meaningfully early stage of the transaction.

On April 27, 2009, the Article 29 Working Party issued a new working document (WP 155 rev.04) on frequently asked questions relating to binding corporate rules ("BCRs").  Two new FAQs were adopted: (1) FAQ 10 deals with the relationship between EEA data protection laws and BCRs; and (2) FAQ 11 relates to the reversal of the burden of proof in the context of BCRs.  The Working Party reiterated that, although BCRs may offer an adequate level of protection to personal data being transferred within the same company, they do not exempt multinationals from complying with national data ...

On May 13, 2009, the French Data Protection Authority (“CNIL”) published its Annual Activity Report.  The Report highlights increasing enforcement activity, noting a record number of investigations, formal notifications and fines.  Having recently celebrated its thirtieth anniversary, the CNIL stated that it seeks to constantly evolve and meet the challenges of modern society by pursuing three key points: (i) diversifying its sources of financing; (ii) increasing the number of personnel; and (iii) including data protection and privacy rights in the French constitution in the near future.

On May 14, 2009, the California Department of Public Health issued an Administrative Penalty Notice to the Kaiser Foundation Hospital — Bellflower for patient medical information privacy violations. Although the state did not identify the affected patient by name, the facts and circumstances described in the Notice correspond to the case of Nadya Suleman, the single mother of six who gave birth to octuplets at Bellflower in January 2009. The hospital was fined $250,000 for failure to prevent unlawful or unauthorized access to, or use or disclosure of, a patient’s medical ...

The UK Information Commissioner's Office has published a review of the strengths and weaknesses of the EU Data Protection Directive, commissioned from RAND Europe.

The concept of such a review was highly radical when first proposed. It provoked the promise of a similar study from the European Commission and generated much debate as to whether, and if so when, the Directive itself might be reviewed. The conclusions of the RAND study are much less radical than anticipated but more likely, as a consequence, to stimulate constructive debate within Europe as to the future shape of data protection law. Whilst not endorsing the RAND study, in April 2009, the European Privacy and Data Protection Commissioners' Conference discussed the themes raised by RAND and issued a declaration committing to contribute to the ongoing debate concerning the future of data protection law, including better implementation and enforcement of the existing legal framework.

On May 5, 2009, the Federal Trade Commission’s ("FTC's") Acting Director of the Bureau of Consumer Protection, Eileen Harrington, testified before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection in support of the proposed federal Data Accountability and Trust Act (H.R. 2221).  The Act would require companies to implement reasonable data security policies and procedures to protect personal information.  It would also mandate security breach notifications for consumers affected by data security breaches.

Following numerous complaints about the use of behavioral advertising technology by internet service providers, the European Commission (the “Commission”) launched infringement proceedings against the United Kingdom for an alleged failure to keep people’s online details confidential. The EU Telecoms Commissioner, Viviane Reding, has called upon the UK to change its national laws to ensure the confidentiality of communications by prohibiting interception and surveillance without the user's consent. If the UK does not comply, the Commission can issue a final warning before taking the UK to the European Court of Justice.

On 2 March 2009, a Belgian Criminal court (Tribunal correctionnel de Termonde, No. DE 20.95.16/08/25) fined Yahoo! Inc., €55,000 ($71,745) for refusing to disclose to a Belgian Public Prosecutor the personal data of its e-mail users who were under criminal investigation for fraud. The Criminal court also imposed a daily penalty fee of €10,000 ($13,045) in a case of non-compliance with the judgment.  This decision was reached despite Yahoo!’s argument that Belgian law did not apply because the company does not maintain a legal entity in Belgium and does not store any customer data in Belgium.

The Information Commissioner’s Office (the “ICO”) has conducted a dawn raid on a business which operated a covert database containing details of 3,213 workers in the construction industry (the “Database”). Subscribers included over 40 construction companies, publicly named by the ICO, who used the database to vet prospective employees, without their knowledge or consent.

This week, the Federal Communications Commission announced a broad consumer privacy enforcement action against over 600 telecommunications carriers.  The Commission issued notices of liability against carriers that failed to certify compliance with regulations governing the protection of Consumer Proprietary Network Information (“CPNI”) and carriers that filed inadequate certifications.  The Commission proposed fines of $20,000 against carriers that failed to file the required certification and up to $10,000 against carriers whose certifications were non-compliant.

CVS Pharmacy (“CVS”), reportedly the largest retail pharmacy chain, has agreed to pay the Department of Health and Human Services (“HHS”) $2.25 million and submit a Corrective Action Plan (“CAP”) to HHS after an extensive nationwide investigation by the HHS Office of Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) which revealed that CVS employees disposed of protected health information (“PHI”) in violation of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule.  In addition, CVS Caremark, the parent company of CVS, simultaneously entered into a Consent Order with the FTC to resolve claims that CVS had engaged in unfair or deceptive trade practices in violation of the FTC Act by failing to use reasonable and appropriate measures to prevent unauthorized access to PHI and by disseminating a false or misleading privacy notice about CVS’s protection of PHI.  In the Consent Order, the FTC specifically highlighted CVS’s failure to render PHI unreadable before disposal as well as its claim in its privacy notice that maintaining the privacy of its customers’ PHI was central to its operations as examples of unfair or deceptive trade practices.  The CVS settlement is noteworthy for two reasons: (1) it is the first joint enforcement action between OCR and the FTC and (2) although it is the second substantial monetary settlement for alleged HIPAA violations, the $2.25 million resolution amount dwarfs the first settlement for $100,000 between HHS and Providence Health in July 2008.

The Criminal Court of Milan has suspended proceedings against four Google executives to allow time to address relevant procedural considerations.  The proceedings mark the culmination of a two-year investigation conducted by Italian authorities.  The investigation focused on video footage made available on Google Video that depicted a disabled boy being taunted by his fellow classmates.  As result of the video footage, Google executives face charges of defamation and privacy infringement.

For purposes of the criminal proceedings, Google is considered an internet content ...

The Federal Trade Commission ("FTC") recently settled complaints against two telemarketing companies that allegedly called numbers listed on the National Do Not Call Registry.  The companies will pay a combined total of nearly $1.2 million dollars in civil penalties to settle charges that their marketing practices ran afoul of the Telemarketing Sales Rule ("TSR").