The Privacy Bulletin - May 1, 2009

In The News

FTC Grants Three Month Delay of Enforcement of Red Flag Rules: The Federal Trade Commission's (FTC) Red Flag rules were scheduled to go into effect on May 1, 2009. On April 30, 2009 the FTC announced that it would delay enforcement of the rules until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. The FTC also announced that it will soon release a template to help entities with a low risk of identity theft to help them comply with the law. The announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight. The rules are aimed to prevent identity theft and require any creditors with covered accounts to have written policies in effect that are reviewed and updated regularly as business dynamics change. The rules are jointly enforced by the FTC and by various financial industry regulators. If the FTC receives a complaint about an institution over which it does not have jurisdiction, the FTC may pass that complaint on to the correct regulator.

Court Invalidates Blockbuster Customer Service Agreement: On April 15, 2009, the United States District Court for the Northern District of Texas, applying Texas law, held that an arbitration clause found in Blockbuster, Inc.'s "Terms and Conditions" provision was unenforceable because, in that provision, Blockbuster, Inc. reserved the right to modify the "Terms and Conditions" at any time without expressly indicating that such changes would not apply retroactively. As a precondition to joining Blockbuster’s online service, customers are required to certify that they have read and agreed to Blockbuster's "Terms and Conditions." That provision reserved for Blockbuster the right to modify the contract "in its sole discretion" with any modifications to be effective immediately upon posting the modified agreement on its website. The court found that such language rendered the contract illusory and thus unenforceable.

Lawmakers Examine Privacy Implications of New Technologies: On April 23, 2009, the House Committee on Energy and Commerce, Subcommittee on Communications, Technology and the Internet held a hearing titled, "Communications Networks and Consumer Privacy: Recent Developments." The hearing focused on technologies that network operators utilize to monitor consumer usage and how those technologies intersect with consumer privacy. The hearing explored three ways to monitor consumer usage on broadband and wireless networks: deep packet inspection (DPI); new uses for digital set-top boxes; and wireless Global Positioning System (GPS) tracking.

Vermont Upholds Law Banning Data-Mining of Prescription Drugs: On April 23, 2009, the United States District Court for the District of Vermont upheld a law preventing drug companies from data- mining information about patient prescriptions from pharmacies for marketing purposes. Pharmaceutical companies frequently purchase data on doctor’s prescription patterns to better target doctors to prescribe their company’s drugs. Maine and New Hampshire have similar laws banning the practice.

Washington Adopts RFID Privacy Law: On April 17, 2009, Washington State Governor Christine Gregorie signed into law House Bill (HB) 1011, a bill prohibiting the scanning of an RFID tag by anyone except the business or agency that issued the tag, with certain exceptions. The Governor vetoed section 3 of the bill that would have required the state’s attorney general to make annual recommendations to the legislature regarding any new "potentially invasive technologies." The Governor claimed this section of the bill diverted already scarce funds away from other priority activities. The law will take effect on July 26, 2009.

HHS Publishes Data Protection Guidelines to Prevent Breaches: On April 17, 2009, the Department of Health and Human Services (HHS), building upon already existing guidelines under the HIPAA Privacy and Security rules, released guidelines regarding technologies and methodologies to secure health information and prevent harm by rendering health information unusable, unreadable, or indecipherable to unauthorized individuals. The guidelines provide steps entities can take to secure personal information and establish triggers for consumer notification when information is compromised. The American Recovery and Reinvestment Act (ARRA) required publication of the guidelines by April 18.

FTC Releases Proposed Health Record Breach Notification Regulations: On April 16, 2009, the Federal Trade Commission (FTC) announced that it released a notice seeking public comment on proposed (interim) regulations that would require entities to notify consumers when the security of their electronic health information is breached. The American Recovery and Reinvestment Act (ARRA) requires the Department of Health and Human Services (HHS) to conduct a study and report and consult with the FTC on potential privacy, security and breach notification requirements for holders of personal health records. The FTC's interim rule will be in effect until the study and report is completed in 2010. Comments on the proposed regulations will be accepted through June 1, 2009.

FairPoint Communications Admits Security Breach: FairPoint Communications, Inc. has announced that a portable data-storage device containing employee information is missing from one of its offices. FairPoint cited employee failure to comply with established security policies as the cause of the breach. The device contained names, addresses, social security numbers and birth dates of approximately 4400 employees; however, no financial or customer account information was contained on the device. There is no indication yet that any of the data has been improperly accessed.

FTC Chair Appoints Senior Staff: On April 14, 2009, Federal Trade Commission (FTC) Chairman, Jon Leibowitz announced the appointment of six senior staff members. The appointments include: Richard A. Feinstein (Director, Bureau of Competition), David C. Vladeck (Director, Bureau of Consumer Protection), Joseph Farrell (Director, Bureau of Economics), Susan S. DeSanti (Director, Policy Planning), Jeanne Bumpus (Director, Office of Congressional Relations), and Joni Lupovitz (Chief of Staff to the Chairman).