The Privacy Bulletin - May 15, 2009

In the News
European Commission Issues Formal Recommendation Regarding RFID Technology: On May 12, 2009, the European Commission adopted a set of formal recommendations regarding the protection of sensitive information associated with RFID devices. The recommendations are designed to ensure that manufacturers and designers of RFID technologies respect European consumers' fundamental right to privacy. The recommendations require retailers to deactivate RFID technology at the point of sale unless the consumer opts to keep the tag active and include a list of consumer education and awareness initiatives regarding RFID technology.

Claims Dismissed Against Grocery Store in Civil Data Breach Suit: On May 14, 2009 the United States District Court for the District of Maine dismissed all but one claim against grocery store chain Hannaford for its alleged failure to adequately protect sensitive consumer information and to timely notify affected customers. The Court reasoned that without any actual or substantial loss of property the affected consumers could not claim damages.

FTC Testifies Before House Subcommittee on Efforts to Protect Consumers of Financial Services: On May 12, 2009, the Federal Trade Commission (FTC) testified before the House Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection in a oversight hearing examining consumer credit issues. The FTC testimony highlighted its increase in law enforcement efforts to protect consumers from unfair or deceptive practices. The FTC also endorsed the proposed Consumer Credit and Debt Protection Act, that would permit the FTC to issues rules prohibiting or restricting unfair or deceptive practices relating to consumer credit/debit services.

FTC Testifies Before House Subcommittee on Data Security Over Peer-to-Peer Networks: On May 6, 2009, the Federal Trade Commission (FTC) testified before the House Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection in a hearing examining the sharing of consumer information over peer-to-peer networks. Specifically, the FTC supported HR 2221, a bill requiring companies to establish reasonable security policies and procedures and to notify customers when a data breach affects them. The FTC also made two additional recommendations: (1) that the legislation be amended to cover data stored on paper (in addition to electronic data); and (2) certain provisions concerning obligations of information brokers should address specific harms consumers face when brokers sell their information.

TD Ameritrade Settles Data Theft Class Action Suit: On May 11, 2009, a judge for the United States District Court for the Northern District of California approved a settlement agreement of a class-action lawsuit over the theft of client contact information from online brokerage firm, TD Ameritrade Holding Corporation. Any person who provided an email address to Ameritrade prior to September 14, 2007 could benefit from the suit. The plaintiffs complained because they received unsolicited email advertisement regarding stocks. Thus far only class counsel has received monetary compensation.

Berkeley Students Data Breached: On May 8, 2009, the University of California at Berkeley notified current and former students that its computer system was hacked in early April and records from the school’s health center dating back to 1999 was stolen. The social security numbers, health insurance information, immunization history and treating physicians of nearly 160,000 people was compromised.

LexisNexis Warns Customers of Possible Data Breach: On May 1, 2009, LexisNexis, an online information service, informed nearly 32,000 customers that their personally identifiable information may have been accessed impermissibly in a credit card fraud scheme. Personally identifiable information was accessed between 2004 and 2007 and was used to set up fake credit cards.

Upcoming Events
Wednesdays with Winston - A "brown bag" lunchtime series focused on the issues of online safety and privacy. Join the Family Online Safety Institute (FOSI) and Womble Carlyle to learn what's happening in online safety at the Federal Communications Commission. June 24, 2009, 12:00-1:30 pm at Womble Carlyle's Washington, DC office. Winston the Bulldog will provide the drinks and desserts! If you have any questions or would like to register, please contact Katie Tedrow.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

The Privacy Bulletin - May 1, 2009

In The News

FTC Grants Three Month Delay of Enforcement of Red Flag Rules: The Federal Trade Commission's (FTC) Red Flag rules were scheduled to go into effect on May 1, 2009. On April 30, 2009 the FTC announced that it would delay enforcement of the rules until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. The FTC also announced that it will soon release a template to help entities with a low risk of identity theft to help them comply with the law. The announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight. The rules are aimed to prevent identity theft and require any creditors with covered accounts to have written policies in effect that are reviewed and updated regularly as business dynamics change. The rules are jointly enforced by the FTC and by various financial industry regulators. If the FTC receives a complaint about an institution over which it does not have jurisdiction, the FTC may pass that complaint on to the correct regulator.

Court Invalidates Blockbuster Customer Service Agreement: On April 15, 2009, the United States District Court for the Northern District of Texas, applying Texas law, held that an arbitration clause found in Blockbuster, Inc.'s "Terms and Conditions" provision was unenforceable because, in that provision, Blockbuster, Inc. reserved the right to modify the "Terms and Conditions" at any time without expressly indicating that such changes would not apply retroactively. As a precondition to joining Blockbuster’s online service, customers are required to certify that they have read and agreed to Blockbuster's "Terms and Conditions." That provision reserved for Blockbuster the right to modify the contract "in its sole discretion" with any modifications to be effective immediately upon posting the modified agreement on its website. The court found that such language rendered the contract illusory and thus unenforceable.

Lawmakers Examine Privacy Implications of New Technologies: On April 23, 2009, the House Committee on Energy and Commerce, Subcommittee on Communications, Technology and the Internet held a hearing titled, "Communications Networks and Consumer Privacy: Recent Developments." The hearing focused on technologies that network operators utilize to monitor consumer usage and how those technologies intersect with consumer privacy. The hearing explored three ways to monitor consumer usage on broadband and wireless networks: deep packet inspection (DPI); new uses for digital set-top boxes; and wireless Global Positioning System (GPS) tracking.

Vermont Upholds Law Banning Data-Mining of Prescription Drugs: On April 23, 2009, the United States District Court for the District of Vermont upheld a law preventing drug companies from data- mining information about patient prescriptions from pharmacies for marketing purposes. Pharmaceutical companies frequently purchase data on doctor’s prescription patterns to better target doctors to prescribe their company’s drugs. Maine and New Hampshire have similar laws banning the practice.

Washington Adopts RFID Privacy Law: On April 17, 2009, Washington State Governor Christine Gregorie signed into law House Bill (HB) 1011, a bill prohibiting the scanning of an RFID tag by anyone except the business or agency that issued the tag, with certain exceptions. The Governor vetoed section 3 of the bill that would have required the state’s attorney general to make annual recommendations to the legislature regarding any new "potentially invasive technologies." The Governor claimed this section of the bill diverted already scarce funds away from other priority activities. The law will take effect on July 26, 2009.

HHS Publishes Data Protection Guidelines to Prevent Breaches: On April 17, 2009, the Department of Health and Human Services (HHS), building upon already existing guidelines under the HIPAA Privacy and Security rules, released guidelines regarding technologies and methodologies to secure health information and prevent harm by rendering health information unusable, unreadable, or indecipherable to unauthorized individuals. The guidelines provide steps entities can take to secure personal information and establish triggers for consumer notification when information is compromised. The American Recovery and Reinvestment Act (ARRA) required publication of the guidelines by April 18.

FTC Releases Proposed Health Record Breach Notification Regulations: On April 16, 2009, the Federal Trade Commission (FTC) announced that it released a notice seeking public comment on proposed (interim) regulations that would require entities to notify consumers when the security of their electronic health information is breached. The American Recovery and Reinvestment Act (ARRA) requires the Department of Health and Human Services (HHS) to conduct a study and report and consult with the FTC on potential privacy, security and breach notification requirements for holders of personal health records. The FTC's interim rule will be in effect until the study and report is completed in 2010. Comments on the proposed regulations will be accepted through June 1, 2009.

FairPoint Communications Admits Security Breach: FairPoint Communications, Inc. has announced that a portable data-storage device containing employee information is missing from one of its offices. FairPoint cited employee failure to comply with established security policies as the cause of the breach. The device contained names, addresses, social security numbers and birth dates of approximately 4400 employees; however, no financial or customer account information was contained on the device. There is no indication yet that any of the data has been improperly accessed.

FTC Chair Appoints Senior Staff: On April 14, 2009, Federal Trade Commission (FTC) Chairman, Jon Leibowitz announced the appointment of six senior staff members. The appointments include: Richard A. Feinstein (Director, Bureau of Competition), David C. Vladeck (Director, Bureau of Consumer Protection), Joseph Farrell (Director, Bureau of Economics), Susan S. DeSanti (Director, Policy Planning), Jeanne Bumpus (Director, Office of Congressional Relations), and Joni Lupovitz (Chief of Staff to the Chairman).