Privacy & Information Security Law Blog

On May 6, 2009, the proposed amendments to the e-Privacy Directive received a second reading in the European Parliament.  In addition to other measures, it will include a definition of “personal data breach” and will introduce a data breach notification requirement. 

The review of the e-Privacy Directive forms part of a wider review of telecoms legislation.  The objective of that review is to improve network security and integrity, to increase protection for user personal data and to improve measures to prevent spam and “cyber attacks.”  The scope of the amended Directive will include the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks within the European Community, including public communications networks supporting data collection and identification devices.

On May 5, 2009, the Federal Trade Commission’s ("FTC's") Acting Director of the Bureau of Consumer Protection, Eileen Harrington, testified before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection in support of the proposed federal Data Accountability and Trust Act (H.R. 2221).  The Act would require companies to implement reasonable data security policies and procedures to protect personal information.  It would also mandate security breach notifications for consumers affected by data security breaches.

At the eleventh hour, the Federal Trade Commission announced that it will once again delay enforcement of the Red Flags Rule.  The Red Flags Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACTA").  The previous compliance date was May 1, 2009, which was an extension from the original deadline of November 1, 2008.  The new extension applies only to the provisions of the Rule requiring financial institutions and creditors to implement an identity theft prevention program.  The continuing enforcement delays respond to ongoing uncertainty about ...

Last week, the Federal Trade Commission published a Notice of Proposed Rulemaking regarding notification for security breaches involving electronic health information. The FTC issued the proposal pursuant to certain health information technology provisions in the American Recovery and Reinvestment Act, signed into law on February 17th, 2009. The Commission's proposal includes a requirement that vendors of personal health records notify U.S. citizens and residents if their personal health information is subject to a security breach. In addition, vendors must notify the FTC no later than five business days following the discovery of a breach that affects 500 or more individuals, or, for breaches affecting fewer than 500 individuals, maintain a log to be submitted annually to the Commission.

On April 17, the U.S. Department of Health and Human Services ("HHS") issued proposed information security guidance, as required by the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act") passed as part of American Recovery and Reinvestment Act of 2009 on February 17.  The HITECH Act requires covered entities and business associates, as well as vendors of personal health records, to provide notice of information security breaches affecting “unsecured protected health information” or “unsecured personal health record information,” respectively.  The HITECH Act further requires the Secretary of HHS to specify technologies and methodologies that would render protected health information ("PHI") unusable, unreadable, or indecipherable to unauthorized individuals.  If covered entities, business associates and vendors of personal health records apply the technologies and methodologies specified in the guidance to protected health information, they will not be required to provide notice to affected individuals, HHS or the media, as otherwise required by the HITECH Act, in the event the information is breached.

News last week that Chinese and Russian hackers had infiltrated the U.S. electrical power grid gave practical significance to already high-profile issues in Washington -- how better to secure the nation’s cyber-infrastructure.  Late in 2008, the Center for Strategic and International Studies Commission on Cyber Security for the 44th Presidency (the Commission) released a report citing the U.S.’s failure to protect cyberspace as “one of the most urgent national security problems” facing the Obama administration.  The failure threatens the safety and well-being of the United States and its allies and raises immediate risks for the economy.  In a global economy, where economic strength and technological leadership are as important to national power as military force, failing to secure cyberspace puts the U.S. at a disadvantage.  When Chinese and Russian intruders apparently left software on networks supporting the U.S. power grid that could be used to compromise electric and water systems, the warnings of the Commission proved true in a real-world way.

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

On March 20, 2009, the Federal Trade Commission (“FTC”) published its long-awaited guide to the Red Flags Rule (the “Rule”), entitled “Fighting Fraud with Red Flags Rule:  A How-To Guide for Business.”  The guide applies to creditors and certain financial institutions (such as state-chartered credit unions and mutual funds that offer accounts with check-writing privileges) that are subject to the FTC’s jurisdiction and addresses the provision of the Rule that requires implementation of an Identity Theft Prevention Program.  For entities subject to the FTC’s jurisdiction, the relevant compliance deadline is May 1, 2009.  Financial institutions that are regulated by federal bank regulatory agencies or the National Credit Union Administration (which issues their own versions of the Red Flags Rule) were required to comply with the Rule as of November 1, 2008.

On March 20, 2009, the Federal Trade Commission published a Red Flags Rule compliance guide for businesses, entitled “Fighting Fraud with the Red Flags Rule.”  The guide offers an overview of the Rule and practical steps businesses need to take to comply.  In addition, the guide addresses the issue that has raised the most concern among businesses -- the Rule's scope.  As expected, the FTC is interpreting the Rule broadly, suggesting, for example, that any company that sells goods or services and bills customers later is a "creditor" subject to the Rule.  According to the guide ...

Former Silicon Valley entrepreneur Rod Beckstrom has tendered his resignation from the post of Director of United States National Cybersecurity Center, effective March 13, 2009.  In his resignation letter to Secretary of Homeland Security Janet Napolitano, Mr. Beckstrom complained of inadequate funding and criticized the National Security Agency’s dominant role in “most national cyber efforts.”  He characterized this arrangement as “bad strategy” because “intelligence culture is very different than a network operations or security culture,” and he argued ...

The Federal Trade Commission, the Asia-Pacific Economic Cooperation forum, and the Organisation for Economic Co-operation and Development are hosting a multinational workshop on "Securing Personal Data in the Global Economy" in Washington, D.C. on March 16-17, 2009. In anticipation of that workshop, the Centre for Information Policy Leadership at Hunton & Williams LLP is releasing this white paper with ten key recommendations for data breach and information security policy, drawn from published research and extensive experience with data breaches, breach notices, and ...

A former computer security consultant was sentenced Wednesday to four years in federal prison for fraud stemming from his involvement with a cyber-crime ring that used botnets to infect an estimated 250,000 computers.  He has also been ordered to pay $20,000 in restitution to companies defrauded by the scheme.  The 27 year-old California man made history last year when he became the first "bot herder" in the United States to plead guilty to wiretapping charges in connection with the use of botnets.  His guilty plea included admissions of accessing protected computers to conduct fraud and disclosing illegally intercepted electronic communications, as well as wire and bank fraud.  He faced up to 60 years in prison and $1.75 million in fines.

Emerging economies developing privacy laws are confronted with two challenges: how best to protect the privacy interests of local citizens and how to put in place privacy governance that assures companies and individuals outside the economy that information that flows into the region is properly protected and secured.  The APEC Privacy Framework provides sound guidance for drafters engaged in this effort.  By recognizing that privacy reflects the mores and values of local culture, it provides an approach to privacy protection that can be adapted to reflect the needs of local citizens within a widely recognized and adopted architecture.  At the same time, it sets out requirements for strong security, compliance with rules governing the use and management of data and cross-border cooperation for dispute resolution and enforcement. 

The Standing Committee of the National People’s Congress recently passed an amendment to the P.R.C. Criminal Law.  The amendment includes a provision imposing criminal liability on persons who misappropriate personal information during the course of performing their professional duties.  A previous Hunton & Williams Client Alert reported on the amendment that has now become effective as law.

This week, the Federal Communications Commission announced a broad consumer privacy enforcement action against over 600 telecommunications carriers.  The Commission issued notices of liability against carriers that failed to certify compliance with regulations governing the protection of Consumer Proprietary Network Information (“CPNI”) and carriers that filed inadequate certifications.  The Commission proposed fines of $20,000 against carriers that failed to file the required certification and up to $10,000 against carriers whose certifications were non-compliant.

CVS Pharmacy (“CVS”), reportedly the largest retail pharmacy chain, has agreed to pay the Department of Health and Human Services (“HHS”) $2.25 million and submit a Corrective Action Plan (“CAP”) to HHS after an extensive nationwide investigation by the HHS Office of Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) which revealed that CVS employees disposed of protected health information (“PHI”) in violation of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule.  In addition, CVS Caremark, the parent company of CVS, simultaneously entered into a Consent Order with the FTC to resolve claims that CVS had engaged in unfair or deceptive trade practices in violation of the FTC Act by failing to use reasonable and appropriate measures to prevent unauthorized access to PHI and by disseminating a false or misleading privacy notice about CVS’s protection of PHI.  In the Consent Order, the FTC specifically highlighted CVS’s failure to render PHI unreadable before disposal as well as its claim in its privacy notice that maintaining the privacy of its customers’ PHI was central to its operations as examples of unfair or deceptive trade practices.  The CVS settlement is noteworthy for two reasons: (1) it is the first joint enforcement action between OCR and the FTC and (2) although it is the second substantial monetary settlement for alleged HIPAA violations, the $2.25 million resolution amount dwarfs the first settlement for $100,000 between HHS and Providence Health in July 2008.

On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation issued a revised version of its information security regulations and extended the compliance deadline from May 1, 2009 to January 1, 2010. This is the second time Massachusetts has extended the deadline; previously, the deadline was changed to May 1, 2009 in consideration of the economic climate.

The New Jersey Division of Consumer Affairs has published a pre-proposal of rules relating to the protection of personal information (“PPR”) and is accepting comments on the PPR until February 13, 2009, after which it will formally propose rules. The PPR comes nearly a year after the state withdrew earlier proposed rules (the “Original Proposal”) that drew fire from the business community for the burdens they would have imposed. Among other obligations, the PPR would (i) require implementation of a comprehensive written security program; (ii) impose security breach ...

A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy.  Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009). 

Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared.  During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number.  Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information.  Pinero alleged that she relied on this statement in her decision to turn over her information.

Provisions of the economic stimulus legislation (known as the American Recovery and Reinvestment Act (“ARRA”)), recently passed by the U.S. House of Representatives, require certain entities to notify affected individuals, government agencies and the media of breaches of “unsecured protected health information.” Additional provisions substantially revise regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While these provisions are specifically limited to the context of health data, they have ...

Two California medical privacy laws became effective on January 1, 2009.  The laws, A.B. 211 and S.B. 541, create new obligations for health care providers and facilities in California to protect against unlawful or unauthorized access to patient medical information.  In contrast, other medical privacy regulations, including the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), focus only on the unauthorized use or disclosure of protected health information.

New York State recently enacted legislation restricting the use of Social Security numbers (“SSNs”) by employers. The legislation takes effect on January 3, 2009.

Massachusetts recently announced that it is extending the deadline for compliance with new state data security regulations. In consideration of the current economic climate, Massachusetts has extended its original compliance deadline of January 1, 2009. The new compliance deadline will be phased in. By May 1, 2009, companies that are subject to the regulations must generally comply with the new standards and must contractually ensure the compliance of their third-party service providers. In addition, by May 1, 2009, covered businesses must encrypt laptops containing personal information. By January 1, 2010, companies are required to have a written certification of compliance from their third-party service providers and must encrypt other company portable devices, such as memory sticks and PDAs.