Privacy Bulletin: Issue No. 26

New Robocall Rules Take Effect: On September 1, 2009, the Federal Trade Commission's (FTC) "Robocall" rules went into effect. The rules prohibit any prerecorded interstate telemarketing and solicitation calls to consumers unless the consumer has affirmatively elected in writing to accept the calls, including companies’ current customers. Violators may be fined up to $16,000 per call. Exceptions to the rule include calls such as those that deliver purely "informational" messages, and calls from politicians, banks, telephone carriers, and most charitable organizations.

Enforcement of Maine Behavioral Advertising Law Faces Obstacles: On August 28, 2009, the Maine Press Association, in conjunction with Internet safety advocacy group NetChoice, filed a lawsuit to enjoin legislation to prevent predatory marketing practices against minors from taking effect on September 12, 2009. The law makes it illegal to collect personal information about minors on the Internet without parental consent and provides for a private right of action for violation. Opponents claim that the law is unconstitutional because it is overly broad and infringes upon the First Amendment rights of website operators. On August 30, 2009, the Maine Attorney General announced that she would not enforce the law due to similar concerns.

FTC and HHS Issue Personal Health Record Breach Notification Rules: On August 24, 2009, the Department of Health and Human Services (HHS) released an interim final rule that requires healthcare providers, health plans and other entities covered by HIPAA to alert patients, the Secretary of HHS and the media of any unauthorized access to their health information. The interim final rule adopts definitions for breach and unsecured protected health information, specific notification requirements, and opportunity to mitigate exposure. The notifications requirements become effective September 23, 2009. On August 25, 2009, the Federal Trade Commission (FTC) also published in the Federal Register its final rule requiring vendors of personal health records, including third parties who offer personal health records, to notify consumers when their records are compromised. While both agencies were mandated to adopt rules under the American Recovery and Reinvestment Act (ARRA), the FTC's rules remain separate from efforts by the HHS and apply to only a limited number of companies; HHS remains the industry-wide authoritative rule. Companies will need to review their policies to ensure their procedures meet both agencies' requirements.

Radisson Hotels Announces Data Breach: On August 18, 2009, Radisson Hotels, through an open letter to its customers posted on its website, announced that a "limited" number of its guests may have had their personal information, including credit and debit card information, compromised due to a breach in the hotel's computer system. Radisson admitted the breach was discovered last spring, but did not disclose how many customers were affected.

Judge Orders Google to Identify Blogger: On August 19, 2009, a judge for the New York State Supreme Court ordered Google to release the name of a blogger who posted derogatory and defamatory remarks and pictures about model Liskula Cohen on a Google-owned blog site. Although Google eventually took the site down, it would not release the IP address and name until the court ruled. The Blogger then sued Google for failing to protect her identity and breaching her expectation of anonymity.

Upcoming Events
Visit Womble Carlyle's Privacy Team in the Exhibit Hall at the IAPP Privacy Academy in Boston, September 16-18.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.