Privacy Bulletin: Issue No. 23

In the News

Data Breach Laws Take Effect in Alaska and South Carolina: On July 1, 2009, new laws took effect in Alaska and South Carolina requiring entities that experience a data breach involving personally identifiable information (PII) to notify the affected individuals that their information may have been compromised. Both laws apply to all entities doing business in the state, regardless of where they are domiciled and apply to breaches of unencrypted PII on paper and electronic records of state residents. The statutes differ in the definition of what constitutes PII.

Red Flag Rules Are Not Applicable to Participant Loans From 401(k) Accounts: On July 7, 2009, the Federal Trade Commission (FTC) reported that its Red Flags Rule generally does not apply to 401(k) savings plans where the account participant exercises its right to directly take loans from their own accounts. However, subject to this exception, a retirement account is still a covered account under the Rule because, according to the June 11, 2009, interagency guidance: "it involves a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, household, or business purposes."

Advertising Trade Groups Announce Stricter Behavioral Advertising Guidelines:On July 3, 2009, leading advertising trade associations released new self-regulatory principles regarding the tracking and collection of consumer online data. The guidelines consist of seven underlying principles that correspond to the suggested guidelines released by the Federal Trade Commission (FTC) in February 2009 and also address the public education and industry accountability issued raised by the FTC.

IP Addresses Are Not Personally Identifiable Information: On June 23, 2009, a federal judge for the United States District Court for the Western District of Washington ruled that IP addresses are not personally identifiable information. The Court found that Microsoft did not breach its end user licensing agreements with consumers that it would not collect PII without prior consent when it collected IP addresses in conjunction with software updates. The court reasoned that "in order for personally identifiable information to be personally identifiable, it must identify a person. But an IP address identifies a computer." This ruling conflicts with opinions in other jurisdictions which reasoned that consumers expect their IP addresses will remain private.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.