Tuesday, August 4, 2009, 1:42 PM

Privacy Bulletin: Issue No. 24

In the News

FTC Delays Enforcement of Red Flag Rules: On July 29, 2009, the Federal Trade Commission (FTC) announced that it will delay enforcement of its "Red Flags" Rule, for a third time, until November 1, 2009. This delay applies only to enforcement of the Identity Theft Red Flags Rule and does not extend to the rule regarding discrepancies in addresses applicable to users of consumer information, or to the rule regarding changes of address applicable to card issuers. The FTC again delayed its rules in an effort to assist, in particular, small businesses and other entities that may not be clear as to whether the rules apply to them and amidst criticism from the American Bar Association, the American Medical Association, among others, regarding the expansive application of the Rule. The FTC also has stated that it is providing additional guidance to entities so that they may determine the extent of their obligations under the Rules.

North Carolina Tightens Data Breach Statute: On July 27, 2009, North Carolina Governor Beverly Perdue signed into law a stricter version of North Carolina’s existing security breach statute. Session Law 2009-355, SB 1017, amends G.S. § 75-65, which governs data security breaches. Businesses should note that the law the updates notice requirements to include toll free numbers to consumer reporting agencies and government identity theft education resources and mandatory reporting to the Consumer Protection Division of the Attorney General's Office.

HIPAA Security Rule to Be Enforced By Civil Rights Office: On August 3, 2009, the Department of Health & Human Services (HHS) released a memo transferring authority to enforce provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) from the Center for Medicare and Medicaid Services (CMS) to the Civil Rights Office at HHS. The reason for the move was to consolidate enforcement to one area of the Agency.

Payment Card Industry Releases Wireless Security Guidelines For Payment Cards: On July 15, 2009, the Payment Card Industry Security Standards Council (PCI) issued new guidelines relating to recommendations for use of 802.11 wireless access points. While the PCI guidelines for Wireless LAN, which expand upon the 12 part PCI DSS standard, are not mandatory, following the guidelines optimizes consumer protection.

HBSC Firms Fined For Data Security Failures: On July 22, 2009, the UK Financial Services Authority (FSA) announced that it fined three HBSC entities a total of $5 million (£3 million) for failing to have adequate systems and controls in place to protect their customers’ confidential data. An FSA investigation into HBSC's data security systems found that large amounts of unencrypted data had been sent to third parties and confidential information was routinely left unsecured in open areas and unlocked cabinets. The fines stem from the loss of an unencrypted CD containing sensitive personal information of approximately 180,000 policy holders.

Information Commissioner's Office May Issue Fines for Violations of Data Protection Act: On July 22, 2009, the Ministry of Justice granted the Information Commissioner's Office (ICO), an independent UK body tasked to protect personal information and promote public access to official information, the authority to fine businesses for failure to comply with the Data Protection Act, beginning April 1, 2010. Currently, the DPA prohibits the ICO from fining entities for knowing or reckless breaches of the eight data protection principles set forth in the Act.

Upcoming Events – Our 3rd Wednesdays with Winston "brown bag" lunchtime program presented by the Family Online Safety Institute and Womble Carlyle (August 26th, 12-1:30 pm in Womble Carlyle's DC Office), will focus on what's happening with online safety at the Federal Trade Commission (FTC) and what these developments may mean for your business. Attendees will hear from a panel of industry experts on updates to COPPA, behavioral advertising and other issues affecting online safety and privacy, followed by an interactive roundtable discussion. Panelists include: Peder Magee, Federal Trade Commission; Frank Torres, Microsoft; Jules Polonetsky, The Future of Privacy Forum; Eric Breisach, Womble Carlyle; and moderator, Stephen Balkam, FOSI. There is no cost to attend, but space is limited. To register, click here.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.


Post a Comment

<< Home

back to top