Privacy & Information Security Law Blog

Earlier today, a Department of Commerce official briefed Hunton & Williams and Centre for Information Policy Leadership representatives on the Department’s forthcoming “Green Paper” on privacy.  On November 12, 2010, Telecommunications Reports Daily published an article based on information obtained from an unofficial, pre-release draft version of the Green Paper.  It remains to be seen which portions of the leaked draft ultimately will survive the interagency approval process currently underway.  The Department of Commerce representative emphasized that the content of the draft Green Paper currently undergoing review is consistent with Assistant Secretary of Commerce Larry Strickling’s October 27, 2010, speech in Jerusalem.  In his speech, Secretary Strickling explained that the Department is calling it a “Green” Paper, “not because of its environmental impact, but because it contains both recommendations and a further set of questions on topics about which [the Department] seek[s] further input.”

On November 4, 2010, the New York Privacy Officers' Forum hosted a live program to discuss emerging issues in behavioral advertising.  Peter Weingard from online advertising technology and services company Collective began the program with a presentation highlighting the evolution of the advertising industry and the benefits of online behavioral advertising to advertisers, publishers and consumers.  Hunton & Williams partner Aaron Simpson followed Mr. Weingard with a presentation focusing on the emerging legal issues associated with the technology, including a discussion ...

As the EU released new data protection proposals recommending stricter controls on individual online privacy, Hunton & Williams Brussels counsel Wim Nauwelaerts appeared on BBC TV and spoke to the Associated Press and The New York Times.  The articles also were featured globally in Forbes Magazine, Bloomberg Businessweek, CNBC, The International-Herald Tribune, The Parliament Magazine and other media sources.  London partner Bridget Treacy spoke with The Wall Street Journal, and the firm’s practice head Lisa Sotto spoke with The Washington Post.

On November 8, 2010, Connecticut Insurance Commissioner Thomas Sullivan announced that Health Net of Connecticut, Inc. (“Health Net”) had agreed to pay $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.  The penalties were part of a settlement agreement reached with Health Net pursuant to which Health Net agreed to provide credit monitoring protection for two years to all affected members and providers in Connecticut.  Health Net also agreed that the costs related to improvements in data and equipment security it made in response to the data breach will not be passed along to Health Net members.

On November 4, 2010, the European Commission (the “Commission”) released a draft version of its Communication proposing “a comprehensive approach on personal data protection in the European Union” (the “Communication”) with a view to modernizing the EU legal system for the protection of personal data.  The Communication is the result of the Commission’s review of the current legal framework (i.e., Directive 95/46/EC), which started with a high-level conference in Brussels in May 2009, followed by a public consultation and additional targeted stakeholders’ consultations throughout 2010.  Although the Commission considers the core principles of the Directive to still be valid, the Communication equally acknowledges that the existing legal framework for data protection in the European Union is no longer able to meet the challenges of rapid technological developments and globalization.

Representative Rick Boucher (D-VA), current head of the House Subcommittee on Communications, Technology and the Internet, lost his reelection bid yesterday to Republican Morgan Griffith, the Majority Leader of the Virginia House of Delegates.  Representative Boucher, widely recognized and respected for his legislative efforts in the areas of technology, telecommunications and privacy law, co-authored the CAN-SPAM Act and also introduced draft privacy legislation earlier this year.  Congressman Boucher’s defeat leaves the House Subcommittee on Communications, Technology and the Internet panel without its top Democrat, and it is unclear who will fill that leadership vacancy.

The UK Information Commissioner’s Office (“ICO”) has announced the outcome of its investigation into the collection of payload data by Google Street View cars in the UK.  The ICO has concluded that there was a “significant breach” of the UK Data Protection Act in that “the collection of this information was not fair or lawful and constitutes a significant breach of the first principle [of the Act].”

While the ICO has the power to impose monetary penalties for serious breaches of the Act, capped at £500,000 per breach, in this case the ICO has determined that the appropriate course is to secure an undertaking from Google, requiring it to implement additional data protection safeguards.

Indiana Attorney General Greg Zoeller announced on October 29, 2010, that he has sued health insurer WellPoint, Inc. for alleged failure to provide timely notification of a data breach.  Indiana’s breach notification statute requires a business that has experienced a data breach to notify affected individuals and the state attorney general “without unreasonable delay.”  The state alleges that WellPoint was notified of the security breach on February 22, 2010, and again on March 8, 2010, but did not begin notifying customers of the breach until June 18, 2010.  A delay is considered reasonable if it is “(1) necessary to restore the integrity of the computer system; (2) necessary to discover the scope of the breach; or (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will:  (A) impede a criminal or civil investigation; or (B) jeopardize national security.”  Ind. Code. § 24-4.9-3-3(a).  WellPoint has not yet filed an answer to the complaint.

The White House recently announced on its official blog that the National Science and Technology Council’s Committee on Technology has launched a new Subcommittee on Privacy and Internet Policy.  The subcommittee will be co-chaired by a representative from the Department of Commerce and the Department of Justice and will include representatives from over a dozen other departments and federal agencies, such as the Department of Health and Human Services and the National Security Council.  The goal of the subcommittee is to “develop principles and strategic directions” that will foster “consensus in legislative, regulatory, and international Internet policy realms.”  Some of these principles include “facilitating transparency, promoting cooperation, empowering individuals to make informed and intelligent choices, strengthening multi-stakeholder governance models, and building trust in online environments.”

On October 27, 2010, the U.S. Commodity Futures Trading Commission (the “CFTC”) issued two notices of proposed rulemaking (“NPRMs”), citing Gramm-Leach-Bliley Act (“GLBA”) privacy rules, and marketing and data disposal rules of the Fair Credit Report Act (“FCRA”).

The proposed rules come in the wake of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which places two new categories of covered entities (i.e., “swap dealers” and “major swap participants”) under the CFTC’s jurisdiction.  Under the proposals, those entities would be subject to certain GLBA privacy rules that regulate the treatment of consumers’ nonpublic personal information, and sections of the FCRA that address affiliate marketing and data disposal.