Privacy Bulletin: Issue No. 22

In the News
Texas Expands Data Breach Notification Law: On June 19, 2009, Texas Governor, Rick Perry, signed H.B. 2004 into law. The bill extends existing state data breach notification law to now require public agencies, in addition to private entities, to notify state residents if their personal information is compromised. The new language also expands the definition of sensitive personal information to include health and medical information and requires that state residents must be contacted if such information is compromised. Texas is the final state with already existing breach notification requirements to amend its data breach law to cover both public and private entities. The law will take effect on September 1, 2009.

House Holds Second Hearing on Behavioral Advertising: On June 19, 2009, the House Subcommittee on Communications, Technology and the Internet and the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing to examine the potential privacy implications of behavioral advertising. This is the fifth hearing since last summer that Congress has held on the issue. This hearing focused on behavioral targeting through the use of cookies, as opposed to earlier hearings which examined deep packet inspection. Early draft legislation is designed to provide consumers with more information about what behavioral information is being collected and how that data can be used.

TJX to Settle Data Breach with State Attorney Generals for $9.75 Million: On June 23, 2009, the Massachusetts Attorney General announced that a group of 41 state attorney generals had reached a settlement with TJX Companies, Inc. (TJX), operator of several retail chains, including TJ Maxx. According to the Assurance of Discontinuance filed in the Suffolk Superior Court, TJX will pay $9.75 million to end the state attorney generals’ investigation into a 2007 data security breach that exposed the financial information of nearly 46 million credit cards. TJX will also implement a comprehensive information security program. This settlement follows similar settlements TJX has reached with the Federal Trade Commission, private banks and credit card companies.

FTC Approves Final Consent Order in CVS Data Breach Case: On June 23, 2009, the Federal Trade Commission (FTC) approved a final consent order in the matter of CVS Caremark Corporation. CVS settled charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, and engaged in unfair and deceptive trade practices in violation of the FTC Act on February 18, 2009. As part of the settlement, CVS agreed to maintain a comprehensive data security program and hire an auditor to assess and certify the program every two years for 20 years.

FTC Approves Final Consent Order Against James B. Nutter & Co. for GLB Violations: On June 16, 2009, the Federal Trade Commission (FTC) approved the final consent order in the matter of James B Nutter & Company (Nutter). On May 5, 2009, the FTC announced that it had settled with the mortgage service company for violations of the FTC’s Privacy Rule. The FTC alleged that Nutter had failed to adequately secure customer information. As part of the settlement, Nutter agreed to maintain a comprehensive data security program and hire an auditor to assess and certify the program every two years for 10 years.

Court Rules Vets Must Prove Actual Damages to Recover for Data Breach: On June 17, 2009, the United States Court of Appeals for the Eleventh Circuit ruled that Veterans whose data was breached in February 2007 when a government hard drive was stolen could recover under the Privacy Act if they could show financial damages, not mental anguish. The Eleventh Circuit’s interpretation of the Privacy Act conflicts with other circuits, who do not restrict actual damages under the Privacy Act to monetary losses.

Supreme Court Declines to Review Prescription Drug Privacy Law: On June 29, 2009, the United States Supreme Court denied a petition for writ of certiorari filed by two health information companies, Verispan and IMS Health, challenging as a violation of First Amendment free speech rights, a New Hampshire law making it a crime for entities to use information regarding a doctor's prescription patterns for the purpose of increasing drug sales. Other states have enacted similar laws and a Vermont law is currently on appeal with the United States Court of Appeals for the Second Circuit.

Article 29 Working Party Publishes Opinion on Social Networking: On June 22, 2009, the European Union’s Article 29 Working Party, a committee of data protection regulators, issued a formal opinion on how the European Union data privacy laws should address privacy in the context of social networking. The recommendations include making tight privacy restrictions the norm, streamlining the consumer complaint procedure, deletion of inactive accounts, and limiting content that is available to advertisers.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.