Privacy Bulletin: Issue No. 21

In the News
Nevada Amends Personal E-Data Transfer Law: On May 29, 2009, Nevada Governor, Jim Gibbons, approved SB 227, which amends the current Nevada data security law. The law requires all entities doing business in the state to encrypt personal data on all hardware and mobile devices and to only accept credit cards that adhere to the payment card industry data security standards (PCI DSS). Companies with a national practice should note that this is the first time a state requires all personal data to be encrypted. Companies practicing in and around Nevada may need to change the way data is handled. The new law repeals Nevada Revised Statutes section 597.970 and will be effective January 1, 2010.

Agencies Release FAQs on Identity Theft Rules: On June 11, 2009, the Federal Trade Commission (FTC), in conjunction with the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) released a set of Frequently Asked Questions to assist creditors and other covered account holders to comply with the Red Flag Identity Theft Rules. The FTC has also created a website which serves a similar purpose.

FTC Settles with Sears Over Online Behavioral Tracking Software: On June 4, 2009, the Federal Trade Commission (FTC) announced that it had settled charges against Sears Holdings Management Corporation (Sears) for failure to adequately disclose that its software collected sensitive personal information from customers in violation of the FTC Act. Under the terms of the settlement, Sears must destroy all personal information it obtained as a result of the software and must clearly and prominently disclose the types of data the software will monitor, record, or transmit in the future if it uses similar technology.

Wiretap Suits Against Telcos Dismissed: On June 3, 2009, the United States District Court for the Northern District of California dismissed several dozen lawsuits claiming that telecommunications providers illegally assisted law enforcement officials in conducting warrentless wiretaps of their customer's phone lines. Although Congress created an immunity provision for phone companies to prevent liability in 2008, the suits would have severely penalized telecommunications providers for violating the privacy rights of customers by permitting government surveillance operations. While the court recognized that Congress retroactively created immunity rights, the arguments advanced by privacy advocates were not strong enough to overturn Congressional intent. Privacy advocates are expected to appeal the decision to the Ninth Circuit.

Court Overturns Virginia Law to Permit Posting of Social Security Numbers on Websites: On June 2, 2009 the United States District Court for the Eastern District of Virginia ruled in favor of privacy advocate, B.J. Ostergren, permitting her to post the Social Security Numbers of Virginia Legislators on her website, thevirginiawatchdog.com. Ostergren initially posted the information to force the legislative action to require redaction of that, and similar information, before it is posted on the Internet; however, the legislature, instead, passed a law prohibiting the dissemination of the numbers over the Internet. The Court ruled that the Virginia Personal Information Privacy Act, effective 2008, which prohibits disseminating information taken from public records, was a violation of Ostergren's First Amendment rights.

DOD Budget Prioritizes Cybersecurity: On June 9, 2009, Department of Defense (DOD) Secretary Robert Gates testified before the Senate Appropriations Committee, Defense Subcommittee, that keeping cybersecurity infrastructure safe is one of the most important national security challenges moving forward. Gates' testimony revealed that the budget was increased to improve information security technology and increase the number of cybersecurity experts working for the government.

Batteries.com Reports Data Breach: In early June, online retailer Batteries.com announced that it reported a data breach incident to the New Hampshire Department of Justice in May. The breach occurred in February 2009 when the retailer's server was hacked and continued for several weeks until discovered in March 2009. The breach resulted in the exposure of names, addresses and credit card information of approximately 900 New Hampshire residents. Some customers have already reported unauthorized use of credit cards. Batteries.com will provide customers with two years of free credit monitoring and has established a call center to answer customer questions.

BS 10012 British Data Protection Standard Released: Recently, BSI Standards, the National Standards Body of the UK, in response to its study that one in five businesses has breached the Data Protection Act, announced a new British standard to better protect personal data. BS 10012 was established to implement best practices and regulatory compliance guidelines for the effective management of personal information by businesses.

Upcoming Events: Wednesdays with Winston - A "brown bag" lunchtime series focused on the issues of online safety and privacy. Join the Family Online Safety Institute (FOSI) and Womble Carlyle to learn what's happening in online safety at the Federal Communications Commission. June 24, 2009, 12:00-1:30 pm at Womble Carlyle's Washington, DC office. For more information or to register, click here.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.