Privacy & Information Security Law Blog

Last week, the Federal Trade Commission published a Notice of Proposed Rulemaking regarding notification for security breaches involving electronic health information. The FTC issued the proposal pursuant to certain health information technology provisions in the American Recovery and Reinvestment Act, signed into law on February 17th, 2009. The Commission's proposal includes a requirement that vendors of personal health records notify U.S. citizens and residents if their personal health information is subject to a security breach. In addition, vendors must notify the FTC no later than five business days following the discovery of a breach that affects 500 or more individuals, or, for breaches affecting fewer than 500 individuals, maintain a log to be submitted annually to the Commission.

On April 17, the U.S. Department of Health and Human Services ("HHS") issued proposed information security guidance, as required by the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act") passed as part of American Recovery and Reinvestment Act of 2009 on February 17.  The HITECH Act requires covered entities and business associates, as well as vendors of personal health records, to provide notice of information security breaches affecting “unsecured protected health information” or “unsecured personal health record information,” respectively.  The HITECH Act further requires the Secretary of HHS to specify technologies and methodologies that would render protected health information ("PHI") unusable, unreadable, or indecipherable to unauthorized individuals.  If covered entities, business associates and vendors of personal health records apply the technologies and methodologies specified in the guidance to protected health information, they will not be required to provide notice to affected individuals, HHS or the media, as otherwise required by the HITECH Act, in the event the information is breached.

Following numerous complaints about the use of behavioral advertising technology by internet service providers, the European Commission (the “Commission”) launched infringement proceedings against the United Kingdom for an alleged failure to keep people’s online details confidential. The EU Telecoms Commissioner, Viviane Reding, has called upon the UK to change its national laws to ensure the confidentiality of communications by prohibiting interception and surveillance without the user's consent. If the UK does not comply, the Commission can issue a final warning before taking the UK to the European Court of Justice.

News last week that Chinese and Russian hackers had infiltrated the U.S. electrical power grid gave practical significance to already high-profile issues in Washington -- how better to secure the nation’s cyber-infrastructure.  Late in 2008, the Center for Strategic and International Studies Commission on Cyber Security for the 44th Presidency (the Commission) released a report citing the U.S.’s failure to protect cyberspace as “one of the most urgent national security problems” facing the Obama administration.  The failure threatens the safety and well-being of the United States and its allies and raises immediate risks for the economy.  In a global economy, where economic strength and technological leadership are as important to national power as military force, failing to secure cyberspace puts the U.S. at a disadvantage.  When Chinese and Russian intruders apparently left software on networks supporting the U.S. power grid that could be used to compromise electric and water systems, the warnings of the Commission proved true in a real-world way.

Federal Trade Commission Chairman Jon Leibowitz has appointed six senior staff members with extensive experience in the private sector, in the public interest community, in academia, and in government.

“We’re delighted to attract such a talented and creative group of people,” Leibowitz said. “Their leadership and expertise will help ensure that the Commission’s work on behalf of American consumers will continue to be effective. We’re very fortunate.”

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers. 

On March 20, 2009, the Federal Trade Commission (“FTC”) published its long-awaited guide to the Red Flags Rule (the “Rule”), entitled “Fighting Fraud with Red Flags Rule:  A How-To Guide for Business.”  The guide applies to creditors and certain financial institutions (such as state-chartered credit unions and mutual funds that offer accounts with check-writing privileges) that are subject to the FTC’s jurisdiction and addresses the provision of the Rule that requires implementation of an Identity Theft Prevention Program.  For entities subject to the FTC’s jurisdiction, the relevant compliance deadline is May 1, 2009.  Financial institutions that are regulated by federal bank regulatory agencies or the National Credit Union Administration (which issues their own versions of the Red Flags Rule) were required to comply with the Rule as of November 1, 2008.

On March 20, 2009, the Federal Trade Commission published a Red Flags Rule compliance guide for businesses, entitled “Fighting Fraud with the Red Flags Rule.”  The guide offers an overview of the Rule and practical steps businesses need to take to comply.  In addition, the guide addresses the issue that has raised the most concern among businesses -- the Rule's scope.  As expected, the FTC is interpreting the Rule broadly, suggesting, for example, that any company that sells goods or services and bills customers later is a "creditor" subject to the Rule.  According to the guide ...

Google Earth and Google Street View, two popular applications offered by Google that enable users to view detailed satellite images of buildings or street-level panoramas of major roads and neighborhoods, have recently engendered controversy.  In the United States, legislators in California and Texas have introduced bills directed at Google Earth and other similar applications.  The proposed California bill prohibits operators of commercial Internet websites that make a “virtual globe browser available to members of the public” from providing “aerial or satellite photographs or imagery” of schools, religious facilities or government buildings, unless those images have been blurred.  Violators could be fined at least $250,000 and natural persons who knowingly violate the provisions could face imprisonment between one to three years.  The proposed Texas bill prohibits any person from publishing on the Internet “an image capable of zooming into greater detail than that of an aerial photograph taken without a magnifying lens 300 feet or higher of private property not visible from the public right-of-way,” and classifies the offense as a Class B misdemeanor, which is punishable by a fine up to $2,000 or 180 days in prison.