Privacy Bulletin: Issue No. 29

In the News
FTC Extends Enforcement Deadline for Identity Theft Red Flags Rules: On October 30, 2009, the Federal Trade Commission (FTC) announced that, per congressional request, it will delay the enforcement of the Red Flags Rules until June 1, 2010 for financial institutions and creditors subject to the FTC’s jurisdiction. This news comes on the same day that the United States District Court for the District of Columbia ruled that attorneys will not be subject to the Red Flags Rules. The court held that the FTC's application of the rule to attorneys exceeded the FTC's jurisdiction. Attorneys are not the only professionals seeking exemption from compliance with the Red Flags Rules. Last week, the House passed a bill (H.R. 3763) to exempt Dentists from the reach of the rules as well.

HHS Issues HIPAA Enforcement Rule: On October 30, 2009, the Department of Health and Human Services (HHS) published a final interim rule with a request for comments to strengthen the enforcement of privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA). The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after Feb. 18, 2009. The interim final rule conforms the HIPAA enforcement regulations to these revisions made by the HITECH Act, significantly increasing the monetary penalties for violation. Comments are due by December 29, 2009.

Boucher's Web Privacy Bill Continues to Come Together: Rep. Rick Boucher (D-Va), chairman of the House Subcommittee on Communications, Technology and the Internet, continues to draft legislation that will set guidelines for users and companies as they engage in commerce over the web. Boucher is working to balance the economic benefits that targeted advertising brings to consumers against privacy implications. Boucher hopes to circulate the bill to lawmakers next month.

FTC Settles with Apparel Maker over COPPA Violations: On October 20, 2009, the Federal Trade Commission (FTC) settled charges with Iconix Brand Group, Inc. (Iconix), a group that owns, licenses and markets various children’s apparel, for Iconix's violation of the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA rule. Iconix will pay a $250,000 penalty for knowingly collecting and using personal information, including names, email addresses, and in some cases mailing addresses, from children under the age of 13 who registered on the brand-specific websites to receive updates without obtaining parental consent.

FTC Fines ChoicePoint for Failure to Protect Consumer Data: On October 19, 2009, the Federal Trade Commission (FTC) modified its settlement with ChoicePoint, Inc., one of the nation's largest data brokers, for a 2005 data breach. A 2006 settlement required ChoicePoint to pay $10 million in civil penalties and $5 million in consumer redress and engage in extensive record-keeping and monitoring requirements. The FTC modified the 2006 order due to a subsequent 2008 breach resulting from ChoicePoint’s failure to monitor unauthorized access to databases, which compromised the personal data of approximately 13,750 people. As a result, ChoicePoint will pay an additional $275,000 and will be subject to more stringent reporting duties and data security assessments.

Canada Passes Tough ID Theft Law: On October 27, 2009, the Canadian government announced it had passed new legislation to provide police and courts new tools to fight identity theft. The law creates three new Criminal Code offenses, which target the early stages of ID theft crimes, and the ability for courts to order offenders to pay restitution to victims. The goal of the legislation is to stop identity theft before it occurs.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.