BLOGS: Privacy and Data Protection

Wednesday, June 17, 2009, 9:30 AM

Privacy Bulletin: Issue No. 21

In the News
Nevada Amends Personal E-Data Transfer Law: On May 29, 2009, Nevada Governor, Jim Gibbons, approved SB 227, which amends the current Nevada data security law. The law requires all entities doing business in the state to encrypt personal data on all hardware and mobile devices and to only accept credit cards that adhere to the payment card industry data security standards (PCI DSS). Companies with a national practice should note that this is the first time a state requires all personal data to be encrypted. Companies practicing in and around Nevada may need to change the way data is handled. The new law repeals Nevada Revised Statutes section 597.970 and will be effective January 1, 2010.

Agencies Release FAQs on Identity Theft Rules: On June 11, 2009, the Federal Trade Commission (FTC), in conjunction with the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) released a set of Frequently Asked Questions to assist creditors and other covered account holders to comply with the Red Flag Identity Theft Rules. The FTC has also created a website which serves a similar purpose.

FTC Settles with Sears Over Online Behavioral Tracking Software: On June 4, 2009, the Federal Trade Commission (FTC) announced that it had settled charges against Sears Holdings Management Corporation (Sears) for failure to adequately disclose that its software collected sensitive personal information from customers in violation of the FTC Act. Under the terms of the settlement, Sears must destroy all personal information it obtained as a result of the software and must clearly and prominently disclose the types of data the software will monitor, record, or transmit in the future if it uses similar technology.

Wiretap Suits Against Telcos Dismissed: On June 3, 2009, the United States District Court for the Northern District of California dismissed several dozen lawsuits claiming that telecommunications providers illegally assisted law enforcement officials in conducting warrentless wiretaps of their customer's phone lines. Although Congress created an immunity provision for phone companies to prevent liability in 2008, the suits would have severely penalized telecommunications providers for violating the privacy rights of customers by permitting government surveillance operations. While the court recognized that Congress retroactively created immunity rights, the arguments advanced by privacy advocates were not strong enough to overturn Congressional intent. Privacy advocates are expected to appeal the decision to the Ninth Circuit.

Court Overturns Virginia Law to Permit Posting of Social Security Numbers on Websites: On June 2, 2009 the United States District Court for the Eastern District of Virginia ruled in favor of privacy advocate, B.J. Ostergren, permitting her to post the Social Security Numbers of Virginia Legislators on her website, thevirginiawatchdog.com. Ostergren initially posted the information to force the legislative action to require redaction of that, and similar information, before it is posted on the Internet; however, the legislature, instead, passed a law prohibiting the dissemination of the numbers over the Internet. The Court ruled that the Virginia Personal Information Privacy Act, effective 2008, which prohibits disseminating information taken from public records, was a violation of Ostergren's First Amendment rights.

DOD Budget Prioritizes Cybersecurity: On June 9, 2009, Department of Defense (DOD) Secretary Robert Gates testified before the Senate Appropriations Committee, Defense Subcommittee, that keeping cybersecurity infrastructure safe is one of the most important national security challenges moving forward. Gates' testimony revealed that the budget was increased to improve information security technology and increase the number of cybersecurity experts working for the government.

Batteries.com Reports Data Breach: In early June, online retailer Batteries.com announced that it reported a data breach incident to the New Hampshire Department of Justice in May. The breach occurred in February 2009 when the retailer's server was hacked and continued for several weeks until discovered in March 2009. The breach resulted in the exposure of names, addresses and credit card information of approximately 900 New Hampshire residents. Some customers have already reported unauthorized use of credit cards. Batteries.com will provide customers with two years of free credit monitoring and has established a call center to answer customer questions.

BS 10012 British Data Protection Standard Released: Recently, BSI Standards, the National Standards Body of the UK, in response to its study that one in five businesses has breached the Data Protection Act, announced a new British standard to better protect personal data. BS 10012 was established to implement best practices and regulatory compliance guidelines for the effective management of personal information by businesses.

Upcoming Events: Wednesdays with Winston - A "brown bag" lunchtime series focused on the issues of online safety and privacy. Join the Family Online Safety Institute (FOSI) and Womble Carlyle to learn what's happening in online safety at the Federal Communications Commission. June 24, 2009, 12:00-1:30 pm at Womble Carlyle's Washington, DC office. For more information or to register, click here.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

Tuesday, June 2, 2009, 2:40 PM

The Privacy Bulletin - June 2, 2009

Obama Names New Cyber Security Chief: On May 29, 2009, President Obama named Melissa Hathaway to head the new White House Office of Cyber Security. Previously, Ms. Hathaway served as the cyber coordination executive for the director of national intelligence who spearheaded the 60-day comprehensive review of national cyber policies earlier this year.

Review of the EU Data Directive Released: In May, Rand Europe, commissioned by the Information Commissioner’s Office of the European Union, released a report providing a comprehensive review of the European Data Directive. The review was commissioned due to concerns that the directive is out of date, burdensome and does not adequately address security risks to personal information. The report concluded that a complete overhaul of the directive is not necessary and recommended new methods to better protect information outside of Europe and harmonization of laws between EU member states.

California Judge Rules LifeLock’s Fraud Alert Service Illegal: On May 27, 2009, a federal judge in the Central District of California ruled that identity theft prevention firm LifeLock violated the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and engaged in unlawful and unfair business practices under California's Unfair Competition Law by placing fraud alerts on its customer’s credit files. The Court reasoned that Congress did not intend for consumers to be able to contract with a business to place fraud alerts. Rather, Congress only intended for a family member, guardian or attorney to make the request on behalf of a potential fraud victim.

Interactive Advertising Bureau Releases Guidelines for Social Media Advertising: On May 18, 2009, the Interactive Advertising Bureau (IAB) released its “best practices” guidelines for social media advertising. The guidelines are intended to help protect consumer privacy, ensure transparency for what and how data is used by interactive media companies. Specifically, the guidelines recommend consumer opt-ins for usage of data for targeted advertising and the creation of additional privacy policies to govern how social data may be used in the context of social advertising.

Maryland Governor Signs Health IT Bill: On May 19, 2009, Maryland Governor Martin O’Malley signed HB 706 into law. The bill fosters the development of Health Information Technology (HIT) and uses HIT funding provided by the American Recovery and Reinvestment Act of 2009. HIT is a tool that use electronic health records to enhance the ability to access health information at the time and place of care exchange health information via secure channels. The intent of HB 706 to encourage the use of electronic medical records.

If you have any questions, comments or would like to schedule a consultation, please feel free to contact any of our Privacy Team Members.

Upcoming Events: Wednesdays with Winston - A "brown bag" lunchtime series focused on the issues of online safety and privacy. Join the Family Online Safety Institute (FOSI) and Womble Carlyle to learn what's happening in online safety at the Federal Communications Commission. June 24, 2009, 12:00-1:30 pm at Womble Carlyle's Washington, DC office. For more information or to register, click here.

back to top