Privacy Bulletin: Issue No. 23

In the News

Data Breach Laws Take Effect in Alaska and South Carolina: On July 1, 2009, new laws took effect in Alaska and South Carolina requiring entities that experience a data breach involving personally identifiable information (PII) to notify the affected individuals that their information may have been compromised. Both laws apply to all entities doing business in the state, regardless of where they are domiciled and apply to breaches of unencrypted PII on paper and electronic records of state residents. The statutes differ in the definition of what constitutes PII.

Red Flag Rules Are Not Applicable to Participant Loans From 401(k) Accounts: On July 7, 2009, the Federal Trade Commission (FTC) reported that its Red Flags Rule generally does not apply to 401(k) savings plans where the account participant exercises its right to directly take loans from their own accounts. However, subject to this exception, a retirement account is still a covered account under the Rule because, according to the June 11, 2009, interagency guidance: "it involves a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, household, or business purposes."

Advertising Trade Groups Announce Stricter Behavioral Advertising Guidelines:On July 3, 2009, leading advertising trade associations released new self-regulatory principles regarding the tracking and collection of consumer online data. The guidelines consist of seven underlying principles that correspond to the suggested guidelines released by the Federal Trade Commission (FTC) in February 2009 and also address the public education and industry accountability issued raised by the FTC.

IP Addresses Are Not Personally Identifiable Information: On June 23, 2009, a federal judge for the United States District Court for the Western District of Washington ruled that IP addresses are not personally identifiable information. The Court found that Microsoft did not breach its end user licensing agreements with consumers that it would not collect PII without prior consent when it collected IP addresses in conjunction with software updates. The court reasoned that "in order for personally identifiable information to be personally identifiable, it must identify a person. But an IP address identifies a computer." This ruling conflicts with opinions in other jurisdictions which reasoned that consumers expect their IP addresses will remain private.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

Privacy Bulletin: Issue No. 22

In the News
Texas Expands Data Breach Notification Law: On June 19, 2009, Texas Governor, Rick Perry, signed H.B. 2004 into law. The bill extends existing state data breach notification law to now require public agencies, in addition to private entities, to notify state residents if their personal information is compromised. The new language also expands the definition of sensitive personal information to include health and medical information and requires that state residents must be contacted if such information is compromised. Texas is the final state with already existing breach notification requirements to amend its data breach law to cover both public and private entities. The law will take effect on September 1, 2009.

House Holds Second Hearing on Behavioral Advertising: On June 19, 2009, the House Subcommittee on Communications, Technology and the Internet and the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing to examine the potential privacy implications of behavioral advertising. This is the fifth hearing since last summer that Congress has held on the issue. This hearing focused on behavioral targeting through the use of cookies, as opposed to earlier hearings which examined deep packet inspection. Early draft legislation is designed to provide consumers with more information about what behavioral information is being collected and how that data can be used.

TJX to Settle Data Breach with State Attorney Generals for $9.75 Million: On June 23, 2009, the Massachusetts Attorney General announced that a group of 41 state attorney generals had reached a settlement with TJX Companies, Inc. (TJX), operator of several retail chains, including TJ Maxx. According to the Assurance of Discontinuance filed in the Suffolk Superior Court, TJX will pay $9.75 million to end the state attorney generals’ investigation into a 2007 data security breach that exposed the financial information of nearly 46 million credit cards. TJX will also implement a comprehensive information security program. This settlement follows similar settlements TJX has reached with the Federal Trade Commission, private banks and credit card companies.

FTC Approves Final Consent Order in CVS Data Breach Case: On June 23, 2009, the Federal Trade Commission (FTC) approved a final consent order in the matter of CVS Caremark Corporation. CVS settled charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, and engaged in unfair and deceptive trade practices in violation of the FTC Act on February 18, 2009. As part of the settlement, CVS agreed to maintain a comprehensive data security program and hire an auditor to assess and certify the program every two years for 20 years.

FTC Approves Final Consent Order Against James B. Nutter & Co. for GLB Violations: On June 16, 2009, the Federal Trade Commission (FTC) approved the final consent order in the matter of James B Nutter & Company (Nutter). On May 5, 2009, the FTC announced that it had settled with the mortgage service company for violations of the FTC’s Privacy Rule. The FTC alleged that Nutter had failed to adequately secure customer information. As part of the settlement, Nutter agreed to maintain a comprehensive data security program and hire an auditor to assess and certify the program every two years for 10 years.

Court Rules Vets Must Prove Actual Damages to Recover for Data Breach: On June 17, 2009, the United States Court of Appeals for the Eleventh Circuit ruled that Veterans whose data was breached in February 2007 when a government hard drive was stolen could recover under the Privacy Act if they could show financial damages, not mental anguish. The Eleventh Circuit’s interpretation of the Privacy Act conflicts with other circuits, who do not restrict actual damages under the Privacy Act to monetary losses.

Supreme Court Declines to Review Prescription Drug Privacy Law: On June 29, 2009, the United States Supreme Court denied a petition for writ of certiorari filed by two health information companies, Verispan and IMS Health, challenging as a violation of First Amendment free speech rights, a New Hampshire law making it a crime for entities to use information regarding a doctor's prescription patterns for the purpose of increasing drug sales. Other states have enacted similar laws and a Vermont law is currently on appeal with the United States Court of Appeals for the Second Circuit.

Article 29 Working Party Publishes Opinion on Social Networking: On June 22, 2009, the European Union’s Article 29 Working Party, a committee of data protection regulators, issued a formal opinion on how the European Union data privacy laws should address privacy in the context of social networking. The recommendations include making tight privacy restrictions the norm, streamlining the consumer complaint procedure, deletion of inactive accounts, and limiting content that is available to advertisers.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.