The Privacy Bulletin - May 15, 2009

In the News
European Commission Issues Formal Recommendation Regarding RFID Technology: On May 12, 2009, the European Commission adopted a set of formal recommendations regarding the protection of sensitive information associated with RFID devices. The recommendations are designed to ensure that manufacturers and designers of RFID technologies respect European consumers' fundamental right to privacy. The recommendations require retailers to deactivate RFID technology at the point of sale unless the consumer opts to keep the tag active and include a list of consumer education and awareness initiatives regarding RFID technology.

Claims Dismissed Against Grocery Store in Civil Data Breach Suit: On May 14, 2009 the United States District Court for the District of Maine dismissed all but one claim against grocery store chain Hannaford for its alleged failure to adequately protect sensitive consumer information and to timely notify affected customers. The Court reasoned that without any actual or substantial loss of property the affected consumers could not claim damages.

FTC Testifies Before House Subcommittee on Efforts to Protect Consumers of Financial Services: On May 12, 2009, the Federal Trade Commission (FTC) testified before the House Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection in a oversight hearing examining consumer credit issues. The FTC testimony highlighted its increase in law enforcement efforts to protect consumers from unfair or deceptive practices. The FTC also endorsed the proposed Consumer Credit and Debt Protection Act, that would permit the FTC to issues rules prohibiting or restricting unfair or deceptive practices relating to consumer credit/debit services.

FTC Testifies Before House Subcommittee on Data Security Over Peer-to-Peer Networks: On May 6, 2009, the Federal Trade Commission (FTC) testified before the House Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection in a hearing examining the sharing of consumer information over peer-to-peer networks. Specifically, the FTC supported HR 2221, a bill requiring companies to establish reasonable security policies and procedures and to notify customers when a data breach affects them. The FTC also made two additional recommendations: (1) that the legislation be amended to cover data stored on paper (in addition to electronic data); and (2) certain provisions concerning obligations of information brokers should address specific harms consumers face when brokers sell their information.

TD Ameritrade Settles Data Theft Class Action Suit: On May 11, 2009, a judge for the United States District Court for the Northern District of California approved a settlement agreement of a class-action lawsuit over the theft of client contact information from online brokerage firm, TD Ameritrade Holding Corporation. Any person who provided an email address to Ameritrade prior to September 14, 2007 could benefit from the suit. The plaintiffs complained because they received unsolicited email advertisement regarding stocks. Thus far only class counsel has received monetary compensation.

Berkeley Students Data Breached: On May 8, 2009, the University of California at Berkeley notified current and former students that its computer system was hacked in early April and records from the school’s health center dating back to 1999 was stolen. The social security numbers, health insurance information, immunization history and treating physicians of nearly 160,000 people was compromised.

LexisNexis Warns Customers of Possible Data Breach: On May 1, 2009, LexisNexis, an online information service, informed nearly 32,000 customers that their personally identifiable information may have been accessed impermissibly in a credit card fraud scheme. Personally identifiable information was accessed between 2004 and 2007 and was used to set up fake credit cards.

Upcoming Events
Wednesdays with Winston - A "brown bag" lunchtime series focused on the issues of online safety and privacy. Join the Family Online Safety Institute (FOSI) and Womble Carlyle to learn what's happening in online safety at the Federal Communications Commission. June 24, 2009, 12:00-1:30 pm at Womble Carlyle's Washington, DC office. Winston the Bulldog will provide the drinks and desserts! If you have any questions or would like to register, please contact Katie Tedrow.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.